News & Resources

Management's Reports on Internal Controls Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports

August 1, 2003

MEMORANDUM

To:   Our Clients and Friends
From:   Olshan Grundman Frome Rosenzweig & Wolosky LLP
Date:   August 1, 2003
Re:   Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports

Introduction

On June 5, 2003, the Securities and Exchange Commission (the "SEC") issued final rules implementing Section 404 of the Sarbanes-Oxley Act of 2002 (the "Act").  The new rules relate to management's reports on internal control over financial reporting, and adopt revisions to the officers' certification of disclosures in periodic reports filed under the Securities Exchange Act of 1934 (the "Exchange Act").[1] 

The new rules provide the following new disclosure requirements: [2]

  • each annual report must contain a statement of management's responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting, as well as management's assessment, at the end of the company's most recent fiscal year, of the effectiveness of such internal control structures and procedures;
  • each annual report must contain a report by the company's auditor where it attests to and reports on management's procedures for financial reporting in accordance with the standards established by the Public Company Accounting Oversight Board (the "PCAOB");
  • each quarterly report must disclose changes that have materially affected or are reasonably likely to materially affect the company's internal control over financial reporting;
  • the CEO and CFO certifications mandated by Section 302 and of the Act have been amended to incorporate, among other things, the new internal control rules; and
  • certifications pursuant to Sections 302 and 906 of the Act must be submitted as exhibits to periodic reports filed with the SEC.

Compliance Dates

"Accelerated filers"[3] are required to comply with the new disclosure requirements relating to internal control over financial reporting beginning with the first fiscal year ending after June 15, 2004.  All other reporting companies, including foreign private issuers, are required to comply with the new disclosure requirements beginning with the first fiscal year ending after April 15, 2005.  Quarterly disclosure of material changes to internal control over financial reporting must begin with the first periodic report due after the first annual report that is required to contain the management report on internal control over financial reporting.  The new requirements relating to the CEO and CFO certifications will apply to quarterly, semi-annual or annual reports due on or after August 14, 2003, however, the changes to Section 302 certifications relating to internal control over financial reporting will not become effective until the first annual report required to contain a management report on internal control over financial reporting.

Internal Control Over Financial Reporting

"Internal control over financial reporting" is a process designed by, or under the supervision of, the company's principal executive and principal financial officers, or persons performing similar functions, and effectuated by the company's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with Generally Accepted Accounting Principles ("GAAP").  This process includes those policies and procedures that:

  • pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company;
  • provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with GAAP, and receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and
  • provide reasonable assurance regarding prevention or untimely detection of unauthorized acquisition, use or disposition of the company's assets that could have a material effect on the financial statements.

Annual Internal Control Report

The annual report on internal control over financial reporting must contain:

  • a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company;
  • a statement identifying the framework used by management to conduct the required evaluation of the effectiveness of the company's control over financial reporting;
  • management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year, including a statement as to whether or not the company's internal control over financial reporting is effective;[4] and
  • a statement that the public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management's assessment of the company's internal control over financial reporting.

In addition, the company must file, as part of the company's annual report, the attestation report of the public accounting firm that audited the company's financial statements.

Framework for Management to Evaluate Effectiveness

Management must use a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment.

A suitable framework must: (i) be free from bias, (ii) permit reasonably consistent qualitative and quantitative measurements of a company's internal control, (iii) be sufficiently complete so that those relevant factors that would alter a conclusion about the effectiveness of a company's internal controls are not omitted and (iv) be relevant to an evaluation of internal control over financial reporting. [5]

Documenting Management's Evaluation

Although no specific procedures must be followed, a company must maintain documentation to provide reasonable support for management's assessment of the effectiveness of the company's internal control over financial reporting.[6]  The documentation must cover both the design of internal controls and the testing processes, and must provide reasonable support:

  • for the evaluation of whether the control is designed to prevent or detect material misstatements or omissions;
  • for the conclusion that the tests were appropriately planned and performed; and
  • that the results of the tests were appropriately considered.

The SEC recommends but does not require the internal control report to appear near the corresponding attestation report issued by the company's auditor.  The SEC expects most companies to place the internal control report and attestation report near the MD&A disclosure, immediately preceding the company's financial statements.

Auditor Attestation

Under the new rules, a company must now file as part of its annual report: (i) a statement that the public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management's assessment of the company's internal control over financial reporting and (ii) the auditor's attestation report.[7]

Quarterly Evaluations

Quarterly evaluations need not be as extensive as annual evaluations, which require an overall assessment of internal controls.  Quarterly evaluations require the company's management, with the participation of the principal executive and financial officers, to evaluate any change in the company's internal control over financial reporting that occurred during a fiscal quarter that has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting. 

302 Certifications

The new rules require companies to file a revised form of the former Section 302 certifications as exhibits to periodic reports.[8]  The specific form and content of the Section 302 certifications is set forth in Appendix A.  The amended form includes the following:

  • a statement that the subscribing principal executive and financial officers are responsible for designing internal controls and procedures for financial reporting or having such controls and procedures designed under their supervision;
  • the clarification that disclosure controls and procedures may be designed under the supervision of principal executive and financial officers; and
  • a revised statement as of the end of the period covered by the report (rather than as of a date within 90 days of the filing date of the report) as to the effectiveness of disclosure controls and procedures.

906 Certifications

The new rules amended 13a-14 and 15d-14 of the Exchange Act and Item 601 of Regulation S-B and S-K to add the Section 906 certifications to the list of required exhibits to be included in reports filed with the SEC.

Section 906 certifications are required only in periodic reports that contain financial statements. Therefore, amendments to periodic reports that do not contain financial statements would not require a new Section 906 certification, but would require a new Section 302 certification to be filed with the amendment. Any CEO or CFO that knowingly or willfully provides a false certification under Section 906 will be subjected to criminal penalties.

_____________________

These are only brief descriptions of the SEC's new rules.  This memorandum provides general information only and does not constitute legal advice that may be applied to any particular situation.  Please contact the Partners in our Corporate Department for further advice and assistance.

Appendix A

CERTIFICATIONS*

I, [identify the certifying individual], certify that:

1.    I have reviewed this [specify report] of [identify registrant];

2.    Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this report;

3.    Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respects the financial condition, results of operations and cash flows of the registrant as of, and for, the periods presented in this report;

4.    The registrant's other certifying officer(s) and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-15(e) and 15d-15(e)) [and internal control over financial reporting (as defined in Exchange Act Rules 13a-15(f) and 15d-15(f))] for the registrant and have:

(a)    Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this report is being prepared;

[(b)    Designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles];

(c)    Evaluated the effectiveness of the registrant's disclosure controls and procedures and presented in this report our conclusions about the effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and

(d)    Disclosed in this report any change in the registrant's internal control over financial reporting that occurred during the registrant's most recent fiscal quarter (the registrant's fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant's internal control over financial reporting; and

5.    The registrant's other certifying officer(s) and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the registrant's auditors and the audit committee of the registrant's board of directors (or persons performing the equivalent functions):

(a)    All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the registrant's ability to record, process, summarize and report financial information; and

(b)    Any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant's internal control over financial reporting.

Date: ...............

_______________________
[Signature]
[Title]

* Provide a separate certification for each principal executive officer and principal financial officer of the registrant. See Rules 13a-14(a) and 15d-14(a).

NOTE: Bold and bracketed language required under the new Section 404 internal control rules must be included only after the effective date for the internal control rules (i.e., for "accelerated filers" the first fiscal year ending on or after June 15, 2004, and for all others the first fiscal year ending on or after April 15, 2005).


[1] See SEC Release No. 33-8238: Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports at http://www.sec.gov/rules/final/33-8238.htm

[2] Registered investment companies are exempt from these new disclosure requirements.

[3] An "accelerated filer," as defined in Rule 12b-2 of the Exchange Act is a U.S. issuer after it first meets the following conditions as of the end of its fiscal year: (i) the aggregate market value of the voting and non-voting common equity held by non-affiliates of the issuer is $75 million or more; (ii) the issuer has been subject to the requirements of Section 13(a) or 15(d) of the Exchange Act for a period of at least 12 calendar months; (iii) the issuer has filed at least one Annual Report pursuant to Section 13(a) or 15(d) of the Exchange Act; and (iv) the issuer is not eligible to use Forms 10-KSB and 10-QSB for its annual and quarterly reports.

[4] This includes disclosure of any "material weaknesses" in the company's internal control over financial reporting identified by management, which would preclude management from concluding that the company's internal control over financial reporting is effective. A material weakness is a deficiency in the design and operation of internal control that could adversely affect a company's ability to record, process, summarize and report financial data consistent with the assertions of management in the company's financial statements.

[5] While the new rules do not mandate the use of a particular framework, the SEC has specifically authorized the use of the framework established by the Committee of Sponsoring Organizations of the Treadway Commission ("COSO") in its published reports regarding internal control.

[6] The company's auditor that is required to attest to, and report on management's assessment must require the company to develop and maintain such documentation to support management's assessment.

[7] The PCAOB is required to set standards for registered public accounting firms' attestations to, and reports on, management's assessment regarding its internal control over financial reporting. On April 16, 2003, the PCAOB designated Statements on Standards for Attestation Engagements No. 10 as the standard of management's assessment of the effectiveness of internal control over financial reporting pending further PCAOB standard setting in this area. The PCAOB intends to monitor the appropriateness of those standards and modify them as needed.

[8] Item 601 of Regulations S-B and S-K has been amended to add the Section 302 and Section 906 certifications to the list of required exhibits as Exhibits 31 and 32 respectively.