The SEC’s definition of internal control does not encompass the effectiveness and efficiency of a company's operations and a company's compliance with applicable laws and regulations, with the exception of compliance with the applicable laws and regulations directly related to the preparation of financial statements, such as the Commission's financial reporting requirements. The definition is consistent with the description of internal accounting controls in Exchange Act Section 13(b)(2)(B).

With respect to the internal control report requirements, the May 27 summary indicated that different timing requirements were defined for two groups, the first one consisting of companies, other than foreign private issuers, meeting the definition of an "accelerated filer" in Exchange Act Rule 12b-2 (“Group 1”) as of the end of its first fiscal year ending on or after June 15, 2004, and the second consisting of all other issuers that are not an accelerated filer as of the end of its first fiscal year ending on or after June 15, 2004, including small business issuers and foreign private issuers (“Group 2”). Group 1 companies must begin to comply with the management report on internal control over financial reporting disclosure requirements in their annual report as of the end of its first fiscal year ending on or after June 15, 2004. Group 2 companies must begin to comply with the annual internal control report requirements for their first fiscal year ending on or after April 15, 2005.

A company must begin to comply with the requirements regarding evaluation of any material change to its internal control over financial reporting in its first periodic report due after the first annual report required to include a management report on internal control over financial reporting.

The SEC pointed out that a company may voluntarily comply with the new disclosure requirements before the compliance dates.

Under the new rules, the certifying officers must state that they “are responsible for establishing and maintaining … internal control over financial reporting” and “designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under [their] supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles.” The rules state that the extended transition period also applies to this language to allow a company's certifying officers to temporarily modify the content of their Section 302 certifications to eliminate these references to internal control over financial reporting until the compliance date. This transition is intended to account for the difference between the compliance date of the rules relating to internal control over financial reporting and the effective date of changes to the language of the Section 302 certification. This extended transition period to allow companies to exclude this language from their certifications for the duration of that period does not in any way affect the provisions of the SEC’s other rules and regulations regarding internal controls that are already in effect.

As pointed out in the May 27 summary, management is required to evaluate any change in the company's internal control over financial reporting that occurred during a fiscal quarter that has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting. Consistent with this requirement, the SEC rules modified Exchange Act Rules 13a-14 and 15d-15 and the executive certification form to delete the phrase "or in other factors." Although the final rules do not explicitly require the company to disclose the reasons for any change that occurred during a fiscal quarter, or to otherwise elaborate about the change, a company will have to determine, on a facts and circumstances basis, whether the reasons for the change, or other information about the circumstances surrounding the change, constitute material information necessary to make the disclosure about the change not misleading.

The quarterly certification requirement under the Section 302 rules with respect to management's disclosure of material weaknesses to the audit committee and to the independent accountant remain in force. The SEC made clear its expectation that if a certifying officer becomes aware of a significant deficiency, material weakness or fraud requiring disclosure outside of the formal evaluation process or after management's most recent evaluation of internal control over financial reporting, he or she will disclose it to the company's auditors and audit committee.

With respect to disclosure controls and procedures, the SEC changed the evaluation date to "as of the end of the period" covered by the quarterly or annual report, eliminating the previously required "90 day period" (however, see comments below regarding registered investment companies). The Commission also elected not to specify the point at which management must evaluate changes to the company's internal control over financial reporting. The rationale is that the final rules do not require a company to state the conclusions of the certifying officers regarding the effectiveness of the company's internal control over financial reporting as of a particular date on a quarterly basis (as those officers must do with respect to disclosure controls and procedures).

This development is not a surprise. The SEC has a long-standing practice of allowing issuers to formulate their own policies with respect to compliance matters. Subsequent to the open meeting, the SEC staff pointed out to us that nothing said in the open meeting or included in the final release on Section 404 is intended to change the independence release or rules, or the appropriate interpretation of those rules. Management and audit committees must take into account the SEC's oral comments in the open meeting and written rules when formulating company policies in this regard. Thus the burden is on management and the audit committee to evaluate the desirability of engaging the independent accountant in documenting internal control over financial reporting on behalf of management. In effect, the final rules constitute a "yellow light" of caution signaling to companies that it would be wise to monitor further SEC and PCAOB developments for additional clarification in what could very well be an evolving area.

In the final rules, the SEC states that it understands the need for management and the company's independent auditors to coordinate their respective activities relating to documenting and testing internal controls over financial reporting. In stating that understanding, the SEC also issued two “reminders” to companies and their auditors:

• First, the Commission's rules on auditor independence prohibit an auditor from providing certain nonaudit services to an audit client.
  
• Second, management cannot delegate its responsibility to assess its internal controls over financial reporting to the auditor.

The SEC also made two other points on independence:

• If the auditor is engaged to assist management in documenting internal controls, management must be actively involved in the process.
  
• Management's acceptance of responsibility for the documentation and testing performed by the auditor does not satisfy the auditor independence rules.

The above views expressed by the SEC raises several points. First, documentation of internal control over financial reporting by the independent accountant is implied to constitute a nonaudit service. Second, if the auditor performs documentation and testing of internal controls, management cannot simply accept responsibility for that work. This would be tantamount to management accepting responsibility for the results of bookkeeping or other services provided by the auditor related to the company's significant accounting records or financial reporting areas. Third, the auditor must exercise care to ensure that he or she does not end up auditing his or her own work or provide a service acting in a management capacity. Finally, while there is some ambiguity in the final rules that didn’t exist during the May 27 open meeting, it appears that the overriding message is for management, and their audit committees, to proceed with care when engaging independent accountants to document internal control over financial reporting.

With respect to the executive certifications required by Sections 302 and 906 of SOA, the rules and forms under the Securities Exchange Act of 1934 and the Investment Company Act of 1940 are being revised to require issuers to provide the certifications as exhibits to certain periodic reports.

With respect to evaluations of disclosure controls and procedures, companies must evaluate the effectiveness of those controls and procedures on a quarterly basis. The SEC points out that “while the evaluation is of effectiveness overall, a company's management has the ability to make judgments (and it is responsible for its judgments) that evaluations, particularly quarterly evaluations, should focus on developments since the most recent evaluation, areas of weakness or continuing concern, or other aspects of disclosure controls and procedures that merit attention.” Thus the message is one of flexibility in approach.

The final rules on Section 404 also reaffirmed that foreign private issuers are only required to evaluate and disclose conclusions regarding the effectiveness of their disclosure controls and procedures in their annual report and not on a quarterly basis. These issuers are not subject to mandated quarterly reporting requirements under the Exchange Act.