By Ronald O. Mueller, Amy L. Goodman and Michael J. Scanlon

Rules Require Management to Include an Internal Control Report in the Annual Report and Require the Independent Auditor to Include an Attestation Report on Management's Internal Controls

Today, the United States Securities and Exchange Commission ("SEC") approved the adoption of rules requiring public companies, other than investment companies, to include in their annual reports on Form 10-K a report of management on the company’s internal controls over financial reporting. The rules also will require the independent auditor of each public company to issue an attestation report on management’s assessment of the company’s internal controls, and this attestation report must be included public companies annual report on Form 10-K.

Importantly, the SEC provided an extended transition period pursuant to which domestic issuers that are subject to the accelerated reporting requirements will not be required to include management’s internal control report and the auditor’s attestation report until the first annual report on Form 10-K that is filed for fiscal years ending on or after June 15, 2004.

The text of the final rules implementing Section 404 of the Sarbanes-Oxley Act of 2002 is not yet available, but the SEC Commissioners and staff discussed several significant points regarding the final rules at today’s open meeting:

  • the definition of "internal controls and procedures for financial reporting" will be established by the Public Company Accounting Oversight Board (the "PCAOB");
  • management’s evaluation of the company’s internal control is to be based on a uniform framework; and CEOs and CFOs will have to certify on a quarterly basis that they have evaluated, as of the end of each fiscal quarter, whether any change in the company’s internal control over financial reporting occurred during such quarter that has materially affected, or is reasonably likely to materially affect, the company’s internal controls over financial reporting.

The following summary is based on information provided at the SEC's open meeting and therefore may not reflect nuances that will appear in the official text of the rules. The SEC is expected to publish the text of the rules on its website shortly.

Management’s Internal Control Report

Under the final rules, each annual report on Form 10-K (and foreign company annual reports on Forms 20-F or Form 40-F) must include an internal control report setting forth:

  • a statement of management's responsibility for establishing and maintaining internal controls and procedures for financial reporting;
  • a statement about the effectiveness of the company’s internal controls and procedures, based on management's evaluation of those controls and procedures; and
  • a statement that company’s independent auditor has attested to, and reported on, management’s evaluation of the internal controls and procedures for financial reporting.

The SEC indicated at the open meeting that in connection with preparing the report, management should base its evaluation on a uniform framework, which will be described in more detail in the text of the final rule. The SEC also stated that the definition of "internal controls and procedures for financial reporting" is to be established by the PCAOB, but in doing so, the PCAOB is to build its definition around the now familiar standards for internal controls over financial reporting set forth in the report of the Committee of Sponsoring Organizations of the Treadway Commission (the "COSO Report") with respect to financial reporting. In this regard, the SEC also indicated that the framework set forth in the COSO Report is an acceptable framework upon which management can base its evaluation of internal controls.

Attestation Report

As required under Section 404, the final rules will require that public companies include an attestation report from the independent auditor in each annual report on Form 10-K (and foreign company annual reports on Forms 20-F or Form 40-F). On this issue, the SEC indicated that the PCAOB should act soon to provide new standards for procedures related to performing the attestation.

Quarterly Certification Requirements

The SEC noted that it was taking a "step back" from the proposed rules regarding the amendments to the quarterly certification requirements that relate to internal controls. Specifically, the proposed rules would have required management to perform a quarterly evaluation of the effectiveness of the company’s internal controls. Instead, the final rules only will require management to review on a quarterly basis, whether there have been any material changes to the company’s internal controls.

Effective Date

According to the statements made at the SEC’s open meeting, domestic listed companies that satisfy the SEC’s accelerated-filer requirements will be required to include management’s internal control report and the auditor’s attestation report in the first annual report filed for fiscal years ending on or after June 15, 2004. Foreign issuers and small business issuers will be required to include these reports in their first annual report filed for fiscal years ending on or after April 15, 2005. The SEC indicated that it viewed these extended transition periods to be appropriate because they will allow the PCAOB sufficient time to establish the required definitions and standards for attestation and companies sufficient time to implement the new requirements.

Form of Section 302 and 906 Certifications

The SEC also adopted, substantially as proposed, amendments to require the Section 302 and 906 certifications to be filed as exhibits to the periodic reports to which they relate. Although not entirely clear from statements made at the open meeting, it appears the amendments requiring the Section 302 and 906 certifications to appear as exhibits will be effective sixty (60) days after the final rules are published on the SEC’s website shortly.

This article is based on information provided at the SEC's open meeting and therefore may not reflect nuances that appear in the official text of the rules.

This article has been prepared for general informational purposes only and is not intended as legal advice. Copyright © 2003 Gibson, Dunn & Crutcher LLP