After several extensions, the Securities and Exchange Commission (the “SEC”) has finally set a compliance date for non-accelerated taxpayers with respect to Section 404 of the Sarbanes-Oxley Act of 2002 (“Sarbanes-Oxley”).
What is needed?
To comply with Section 404, two reports are required. One is prepared by company management and the other is prepared by the company’s independent auditor.
Management Report on Internal Control of Financial Information
A company that is a reporting company under the Securities Exchange Act of 1934 (the “Exchange Act”) must include in its Annual Report on Form 10-K or 10-KSB, a report on the effectiveness of internal control of company on financial information (your “ICFR”). In addition, management is required to evaluate, at the end of each fiscal quarter, any changes to the company’s ICFR that have occurred during the period that have materially affected, or are reasonably likely to materially affect (emphasis added), the ICFR of the company. Additional information on the management’s obligation to evaluate is detailed later in this article.
The management report is contained in Item 9A and 9A(T) of Form 10-K, and Item 8A and 8A(T) of Form 10-KSB. Rule 308 of the SK Regulation provides the instructions.
There are two important considerations regarding the management report. First, the management report included in the annual report of a non-accelerated filer during the first year (emphasis added) of the filer’s compliance will be considered “provided” rather than “filed.” This relieves management of liability under Section 18 of the Stock Exchange Law and is designed to ease any initial tension between management and the independent auditor should their conclusions differ. However, if the issuer subsequently incorporates by reference your report in a filing pursuant to the Securities Exchange Act of 1933, it will be deemed to have been filed.
Second, if the annual report submitted for this first year contains management’s report but does not contain an independent auditor’s certification report (see Auditor’s Certification Report on Internal Control Over Financial Reporting, below), The management report must contain a statement substantially as follows:
This annual report does not include a certification report from the company’s registered public accounting firm regarding internal control over financial reporting. The management’s report was not subject to certification by the company’s registered public accounting firm pursuant to the Securities and Exchange Commission’s temporary rules that allow the company to provide only the management’s report in this report annual.
Auditor certification report on internal control of financial information
In addition to the management report, the company’s independent auditor must issue a report certifying the management’s report on the company’s ICFR. The auditors we have spoken with have indicated that they will want to review the company’s internal controls and then review the management report before issuing this certificate.
Changes to Certifications
Non-accelerated filers have been permitted to omit the portion of the introductory language in paragraph 4, as well as the language in paragraph 4(b) of the certification required by Rules 13a-14(a) and 15d-14(a). ) of the Stock Market Law. which refers to the responsibility of the certifiers in the design, establishment and maintenance of the SCIIF for the company. These omissions must be reinserted when the certifications are submitted with an annual report that includes a management report on the effectiveness of the company’s SCIIF.
Language that has been allowed to be omitted is underlined:
4. The registrant’s other certifying officers and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Rules 13a-14 and 15d-14 of the Exchange Act) for the registrant and have:
a) designed such disclosure controls and procedures to ensure that material information relating to the registrant, including its consolidated subsidiaries, is disclosed to us by others within those entities, particularly during the period in which this annual report is being prepared ;
b) evaluated the effectiveness of the registrant’s disclosure controls and procedures as of a date within 90 days prior to the filing date of this annual report (the “Assessment Date”); Y
When is it required?
Management Report
Non-accelerated filers must provide management’s report on the ICFR in their annual report for their first fiscal year ending on or after December 15, 2007.
Auditor certificate report
Non-accelerated filers are required to provide the auditor’s certification report in their annual reports for their first fiscal year ending on or after December 15, 2008.
Changes in Certifications
Non-accelerated filers may omit the reference language until they file their first annual report that includes a Management Report.
What is the Administration’s Evaluation Obligation?
Management is responsible for maintaining an ICFR system that provides reasonable assurance (emphasis added) regarding the reliability of financial information and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. Management is also responsible for maintaining evidentiary matters, including documentation, to provide reasonable support for its evaluation.
Section 13(b)(7) of the Exchange Act defines “reasonable assurance” as “such a level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.”
While there are numerous ways that management can conduct an assessment of your ICFR, SEC Notice No. 34-55929 sets forth an assessment method that is a safe harbor for management.
One of the key definitions in the Communications is that of “material weakness” as “a deficiency, or combination of deficiencies, in the ICFR such that there is a reasonable possibility that a material misstatement of the entity’s annual or interim financial statements registered is not resolved”. prevented or detected in a timely manner.
New public companies
It is important to note that there is a transition period for companies reporting for the first time. A company will not be subject to the ICFR requirements until (i) it has been required to file an annual report for the previous tax year with the SEC, or (ii) it has filed an annual report with the Commission for the previous tax year. . . However, newly public companies must include a statement in their first annual report that the annual report does not include management’s GFCI assessment of the company or the auditor’s certification report. The extra year of presentation of the management report without auditor certification does not apply, both must be presented in the second year.
The effect of deficiencies
One of the most common questions we anticipate is “what is the effect of having deficiencies on our ICFR?”
None of the NASDAQ exchanges, the American Stock Exchange, or the Over-the-Counter Bulletin Board will delist or negatively identify a company that has reported deficiencies in its ICFR.
At the macroeconomic level, the cost of money should be higher for a company that reports deficiencies than for a similar company that does not. Rating agencies such as Fitch’s and Standard & Poor’s have published guidance on how they intend to handle the reports. It remains to be seen whether hedge funds and other PIPE funding funds will increase the cost of money for issuers that report deficiency.
Every auditor we’ve talked to has said that deficiencies in the ICFR will increase the cost of an audit because they have to do additional sampling and follow other time-consuming processes.