Comment letter to the SEC

Re: File Number S7-11-06 — Concept Release Concerning Management's Reports on Internal Control Over Financial Reporting
Release No. 34-54122; File No. S7-11 -06

September 18, 2006

Nancy M. Morris, Secretary
United States Securities and Exchange Commission
100 F Street, N.E.
Washington, DC 20549

VIA E-MAIL (rule-comments@sec.gov)

Re: File Number S7-11-06 - Concept Release Concerning Management's Reports on Internal Control Over Financial Reporting

Dear Ms. Morris:

The Society of Corporate Secretaries & Governance Professionals is a professional association, founded in 1946, with over 4,000 members who serve more than 3,000 issuers. Responsibilities of our members include supporting the work of corporate boards of directors, their committees and executive management regarding corporate governance and disclosure. Our members assure issuer compliance with the securities laws and regulations, corporate law, stock exchange listing requirements and the accounting rules, and have been on the front-line in implementing the structural changes necessitated by the Sarbanes-Oxley Act of 2002 and the related rules of the Securities and Exchange Commission, the Public Company Accounting Oversight Board and the exchanges. The majority of Society members are attorneys, although our members also include accountants and other non-attorney governance professionals.

We appreciate the Commission's interest in issuing additional guidance to assist management in its performance of its assessment of internal control over financial reporting, and we believe such guidance would be useful to all reporting companies. We believe the objective of the guidance should be to lessen the administrative burden on reporting companies and the costs of compliance while maintaining a process that enables the investing public to rely with confidence on a company's financial reporting. We encourage the Commission to adopt guidance that allows management to exercise judgment in designing and implementing an assessment process based on each company's individual structure and size, but not to create guidance that is mandatory or prescriptive. Because most issuers have already developed robust procedures for performing their assessments, any new guidance should be sensitive to potential costs of reworking existing processes. For this reason, the guidance should be in the form of clear principles that are recommended to be applied by all companies and their audit firms, rather than by the adoption of specific rules.

We also recommend that the new guidance be consolidated with the Commission's guidance dated May 16, 2005 (the "May 2005 Guidance") to help ensure consistent application and, from a practical standpoint, make it easier for management and the audit firms to assimilate and apply. Further, to avoid confusion it is important that the new guidance be consistent with PCAOB standards, including AS-2. To ensure this consistency, we strongly recommend that AS-2 be amended to refer specifically to, and incorporate, the new guidance.

We believe that new guidance would be most beneficial with respect to the following areas, each of which are described more fully below: the role of outside auditors;

• the risk-based approach;
• the classification of deficiencies;
• timing of required testing; and
• testing of IT controls.

1. The role of outside auditors (Question 10)

Many of our members have expressed concern over the dramatic increase in audit fees due to the implementation of Section 404 of the Sarbanes-Oxley Act ("Section 404"). These costs are driven, in part, by the dual testing of internal control over financial reporting. Further, audit firms often require that a company's documentation and testing of internal control over financial reporting conform to the audit firm's own internal model of internal control over financial reporting. These requirements are typically in the form of a standard risk and control matrix, which is applied universally and without consideration to relative risk. Further, audit firms often appear to be driven by the PCAOB inspection process rather than by professional judgment with respect to the risk of material misstatement.

We encourage the Staff to reconsider the requirements that outside auditors both evaluate management's system of internal control over financial reporting and independently test that system, specifically with respect to the amount of reliance that can be placed on management's evaluation. Specifically, we recommend that AS-2 be modified to require that auditors evaluate the adequacy of a company's assessment, and only test a company's controls in connection with such evaluation. We believe this would still achieve the objectives of the dual testing but would drive the auditors to a more integrated approach.

2. The risk-based approach (Questions 11, 15, 16, 17, 18, 19)

We note that many of our members found the May 2005 Guidance to be useful, especially with respect to the recommended "top-down, risk-based" approach. However, in the experience of our members, some audit firms have taken the position that the guidance is only a suggestion and that they are still limited by the requirements of AS-2. Regardless of the recommendations contained in the May 2005 Guidance, many external auditors continue to base their procedures on standard programs focused heavily on routine, transactional controls. Further, auditors often place limited reliance on management's oversight and self-assessments. Therefore, we strongly recommend that AS-2 be amended to refer specifically to, and incorporate, the new guidance.

Our members have consistently noted that management and outside auditors typically spend significant amounts of time testing routine transactional and IT controls, even where higher level controls that have been designed specifically to detect significant and material errors in a timely manner are found to be effective. Further, we have found that in developing the timing and extent of testing, outside auditors generally do not consider whether the process, key personnel or other qualitative factors have changed with respect to a routine control.

We request enhanced guidance that provides clarification and illustrative examples regarding the extent to which management can rely on the effectiveness of entity-level controls and related opportunities to reduce testing at the process level. In addition, we would appreciate increased flexibility in the nature and extent of evaluation procedures for process-level controls, such as placing more reliance on monitoring controls and self-assessment and considering the extent to which processes, key personnel and other qualitative factors have changed.

We also would like to see modifications to AS-2 that increase flexibility in the nature and extent of evaluation procedures (including testing and walkthroughs) for process-level controls, such as placing more reliance on monitoring controls and self-assessment and considering the extent to which processes, key personnel and other qualitative factors have changed. For example, we believe that testing need not be required every year for those process-level controls that are highly automated, have not changed from the prior year and have had no significant deficiencies or material weaknesses in the past three years. This would save costs and enable issuers and their auditors to focus on the more manual, subjective controls.

The guidance should also address the identification of multiple locations or business units, and how companies should determine what is tested. Some of our member companies have multiple locations that, while not significant individually, can be significant in the aggregate.

Although our members have differing views on this issue, we generally do not find it necessary for the Commission to provide guidance about fraud controls. We believe that management's involvement in day-to-day operations, supplemented by documentation of fraud programs and control testing within the current internal control over financial reporting framework, are sufficient.

3. The classification of deficiencies (Questions 24, 25, 26 and 27)

Our member companies often spend many hours evaluating deficiencies that could potentially be "significant" but management and the outside auditors agree do not constitute a material weakness. These discussions can be very time-consuming (taking as many as 80 hours in some circumstances) and typically occur immediately before an Audit Committee meeting and the filing of the quarterly or annual reports with the SEC, when members of financial management and the Company's lawyers have many other demands on their time. Given that the principal purpose of Section 404 is to ensure that investors are informed of material weaknesses and provided assurance that corrective action is taken in a timely manner, we do not believe that the requirement that companies evaluate deficiencies that, although potentially "significant", are unlikely to be deemed a material weakness, adds value from a cost/benefit perspective. Therefore, we recommend that AS-2 be amended to eliminate the requirement that audit findings be evaluated to determine if they constitute significant deficiencies. The classifications would then be limited to "deficiency" and "material weakness", and management would have flexibility to determine which deficiencies should be brought to the attention of the Audit Committee. Please note that this recommendation would only be useful to the issuer community so long as the definition of "material weakness" is not expanded to encompass items that would previously have been considered "significant deficiencies."

In addition, we would find it very useful for the guidance to provide additional information with respect to the definitions of material weakness, significant deficiency (if this category is retained) and deficiency. Specifically, what exactly does it mean to be "remote" — can it be quantified as a 5% or 10% likelihood of occurrence? Although the PCAOB's November 30, 2005 report on implementation of AS-2 discusses "More Than Remote Likelihood" and indicates that the term is understood to have the same meaning as the use of the term in FAS No. 5, Accounting for Contingencies, we nevertheless believe that further, more objective guidance is needed. We understand that something that is remote may actually occur or, put another way, its likelihood of occurring is greater than zero. The November 30 release indicates that "more than remote" means that there is at least a reasonably possible likelihood of occurrence. However, in some cases, our members have found that the registered public accounting firms have taken the position that something that may occur, however unlikely, can never be categorized as remote. Not only would this reduce administrative burden, but investors would be well-served by having all companies assessing the "remote" standard off the same guiding principles, rather than off whichever standard the Big Four firm that serves as the company's auditors has imposed.

Similarly, in our experience, the registered public accounting firms have generally applied little judgment with respect to whether a restatement of financial statements is a material weakness, notwithstanding the May 2005 Guidance that indicates that a restatement is only a strong presumption of a material weakness. We understand that certain SEC staff members may have expressed some informal views on the subject of the existence of material weakness following restatements. We believe that expanded formal guidance should be provided jointly by the PCAOB and SEC (and ultimately include such guidance in a modification of AS-2) to ensure consistent interpretation and application. Specifically, we believe that the following should be provided as examples of situations in which a restatement will typically not be evidence of a material weakness:

• GAAP is silent or ambiguous concerning an acceptable interpretation of a standard and the SEC staff announces interpretive guidance that mandates an approach that requires one or more companies to restate previously issued financial statements (e.g. classification of cash flows from discontinued operations);

• A company and the SEC disagree on a matter that is the subject of judgment or estimate and, notwithstanding the support the company has for its position, the SEC requires restatement (e.g. materiality; segment reporting, fair value determinations, method of determining loan loss allowances; use of particular discount rates or other assumptions);

• A company misapplies a technical and arguably immaterial GAAP issue (e.g. reclassification of certain cash equivalent or cash flow items); or

• A company has been following an acceptable accounting approach of its industry and an objection is raised by the SEC subsequent to the issuance of financial statements (e.g. debt classification of refundable residents' deposits held by continuing care companies).

We believe that, in all of these examples, the restatement that follows is not an indication of inadequate controls within the company.

4. Timing of required testing (Question 23)

AS-2 , Regulation S-K Item 307 and Rules 13a-15(b) and 15d-15(b) require that management assess the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year. As a result, if an issuer changes its systems or controls immediately prior to year-end then the system that was in place for virtually all of the fiscal year is excluded from the assessment, and the new system is included in the assessment even though it did not materially impact financial results for that fiscal year. This puts pressure on companies to delay new IT systems that may be important for business operations, yet not critical in terms of internal control over financial reporting.

Further, the requirement that every key control be tested at least once in the fourth quarter can be extremely burdensome to issuers. Therefore, some of our members have suggested that the assessment should instead be required to cover the effectiveness of the company's internal control over financial reporting that existed during the fiscal year and were material to the company's annual financial results. This would eliminate the need for issuers to ensure that systems are put in place with adequate time for testing, providing issuers with flexibility to make decisions regarding systems and controls that are instead in the best interests of the company.

5. Testing of IT Controls (Question 29)

We understand that IT controls comprise a significant percentage of all key controls tested, although the material misstatements that prompted the adoption of Section 404 and that continue to be the source of finance misstatements have not been attributed to a failure in IT controls. Although we recognize that certain IT controls can be directly correlated to the preparation of financial statements (such as controls over changes to a financial system application), many of the controls now tested do not directly impact the financial statements and are extremely unlikely to result in a material misstatement due to the existence of higher level controls that operate at the transaction or entity level.

Previous guidance indicates that evaluations of the significance of a deficiency in IT controls should be considered in conjunction with evaluation of application controls. Accordingly, while performing tests on the effectiveness of an IT control is clearly relevant in the event that an application level control or other process or entity level control fails, testing in the absence of such a control failure appears to add little value to management's assessment. Therefore, we request more detailed guidance on the requirements to test application-type IT controls and further clarification on the nature and extent of testing required for IT controls having only an indirect impact on the financial statements. We recommend that the guidance apply a risk-based top-down approach to any required IT testing, as deficiencies in many IT controls would be unlikely to be considered a "material weakness". Further, it would be useful for such guidance to address the extent to which such controls should be tested if application, process and entity level controls are adequate, as well as examples of indirect IT controls both relevant and not generally relevant to management's assessment of internal control over financial reporting.

We appreciate this opportunity to share our views with you, and would be happy to provide you with further information to the extent you would find it useful. Respectfully submitted,

The Society of Corporate Secretaries and Governance Professionals

Society of Corporate Secretaries and Governance Professionals
521 Fifth Avenue New York NY 10175
212-681-2000 - Fax 212-681-2005

membership | search | help | site map | contact us
Copyright & Privacy Statement