In light of a number of recent developments, public companies should make sure their internal control over financial reporting (ICFR) complies with section 13(b)(2)(B) of the Securities Exchange Act of 1934. Both the SEC and the PCAOB have placed increased focus on ICFR since early 2013, and, in May 2013, the updated framework for the evaluation of internal control was issued by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission.
Both SEC Chief Accountant Paul Beswick and SEC Deputy Chief Accountant Brian T. Croteau have urged public companies to continually assess the adequacy of their internal control. Croteau noted in a December 2013 speech that companies may not be properly identifying material weaknesses or evaluating the severity of a deficiency in internal control. Croteau’s remarks came in a speech at the American Institute of CPAs’ Conference on Current SEC and PCAOB Developments. In what may suggest an increase in enforcement activities, Croteau indicated that the SEC’s Office of the Chief Accountant works with, and plans to continue its close work with, the SEC’s Enforcement and Corporation Finance Divisions as well as the PCAOB to address these matters.
Jay D. Hanson, a PCAOB board member, indicated in a speech at the SEC Institute’s December 2013 SEC Reporting & FASB Forum that public companies may be observing a higher level of diligence in audits of their ICFR. The additional diligence is likely the result of the PCAOB’s greater focus on ICFR in inspections. This can delay an auditor’s provision of a consent to the filing of a registration statement under the Securities Act of 1933 until completion of the inspection. Among the items that PCAOB inspectors have criticized in ICFR audits is the extent of audit work, including when a company’s documentation of a control is not sufficient. Auditors may now be observing the control in practice to respond to this criticism.
Recent SEC enforcement cases have commented on inadequate ICFR and the failure to comply with ICFR. For example, the SEC’s financial fraud action against Anchor Bancorp Wisconsin noted, among other things, that the company’s ICFR should have provided reasonable assurance that subsequent events would be taken into account up until the date the Form 10-Q was filed.
Croteau also indicated in his December speech that implementing COSO’s Internal Control – Integrated Framework provides an opportunity for public companies to improve ICFR. Among other things, the updated framework provides more detailed guidance as to board oversight of internal control. The minutes of the September 2013 meeting of SEC officials and the Center for Audit Quality’s SEC Regulations Committee note that companies continuing to use the 1992 framework instead of the updated framework can expect questions from SEC staff regarding whether that framework satisfies the SEC's requirement to use a suitable, recognized control framework.