No, I do not. But was digging around. I read at
Post# of 17650
Final Rule:
Management's Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports
SECURITIES AND EXCHANGE COMMISSION
17 CFR PARTS 210, 228, 229, 240, 249, 270 and 274
[RELEASE NOS. 33-8238; 34-47986; IC-26068; File Nos. S7-40-02; S7-06-03]
RIN 3235-AI66 and 3235-AI79
MANAGEMENT'S REPORT ON INTERNAL CONTROL OVER FINANCIAL REPORTING AND CERTIFICATION OF DISCLOSURE IN EXCHANGE ACT PERIODIC REPORTS
AGENCY: Securities and Exchange Commission.
ACTION: Final rule.
SUMMARY: As directed by Section 404 of the Sarbanes-Oxley Act of 2002, we are adopting rules requiring companies subject to the reporting requirements of the Securities Exchange Act of 1934, other than registered investment companies, to include in their annual reports a report of management on the company's internal control over financial reporting. The internal control report must include: a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company; management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year; a statement identifying the framework used by management to evaluate the effectiveness of the company's internal control over financial reporting; and a statement that the registered public accounting firm that audited the company's financial statements included in the annual report has issued an attestation report on management's assessment of the company's internal control over financial reporting. Under the new rules, a company is required to file the registered public accounting firm's attestation report as part of the annual report. Furthermore, we are adding a requirement that management evaluate any change in the company's internal control over financial reporting that occurred during a fiscal quarter that has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting. Finally, we are adopting amendments to our rules and forms under the Securities Exchange Act of 1934 and the Investment Company Act of 1940 to revise the Section 302 certification requirements and to require issuers to provide the certifications required by Sections 302 and 906 of the Sarbanes-Oxley Act of 2002 as exhibits to certain periodic reports.
DATES: Effective Date : August 14, 2003.
Compliance Dates : The following compliance dates apply to companies other than registered investment companies. A company that is an "accelerated filer," as defined in Exchange Act Rule 12b-2, as of the end of its first fiscal year ending on or after June 15, 2004, must begin to comply with the management report on internal control over financial reporting disclosure requirements in its annual report for that fiscal year. A company that is not an accelerated filer as of the end of its first fiscal year ending on or after June 15, 2004, including a foreign private issuer, must begin to comply with the annual internal control report for its first fiscal year ending on or after April 15, 2005. A company must begin to comply with the requirements regarding evaluation of any material change to its internal control over financial reporting in its first periodic report due after the first annual report required to include a management report on internal control over financial reporting. Companies may voluntarily comply with the new disclosure requirements before the compliance dates. A company must comply with the new exhibit requirements for the certifications required by Sections 302 and 906 of the Sarbanes-Oxley Act of 2002 and changes to the Section 302 certification requirements in its quarterly, semi-annual or annual report due on or after August 14, 2003. To account for the differences between the compliance date of the rules relating to internal control over financial reporting and the effective date of changes to the language of the Section 302 certification, a company's certifying officers may temporarily modify the content of their Section 302 certifications to eliminate certain references to internal control over financial reporting until the compliance date, as further explained in Section III.E. below.
Registered investment companies must comply with the rule and form amendments applicable to them on and after August 14, 2003, except as follows. Registered investment companies must comply with the amendments to Exchange Act Rules 13a-15(a) and 15d-15(a) and Investment Company Act Rule 30a-3(a) that require them to maintain internal control over financial reporting with respect to fiscal years ending on or after June 15, 2004. In addition, a registered investment company's certifying officers may temporarily modify the content of their Section 302 certifications to eliminate certain references to internal control over financial reporting, as further explained in Section II.I. below. Registered investment companies may voluntarily comply with the rule and form amendments before the compliance dates.
FOR FURTHER INFORMATION CONTACT: N. Sean Harrison, Special Counsel, or Andrew D. Thorpe, Special Counsel, Division of Corporation Finance, at (202) 942-2910, or with respect to registered investment companies, Christian Broadbent, Senior Counsel, Division of Investment Management, at (202) 942-0721, or with respect to attestation and auditing issues, Edmund Bailey, Assistant Chief Accountant, Randolph P. Green, Professional Accounting Fellow, or Paul Munter, Academic Accounting Fellow, Office of the Chief Accountant, at (202) 942-4400, U.S. Securities and Exchange Commission, 450 Fifth Street, NW, Washington, DC 20549.
SUPPLEMENTARY INFORMATION : We are revising Items 307, 401 and 601 of Regulations S-B 1 and S-K; 2 adding new Item 308 to Regulations S-B and S-K; amending Form 10-K, 3 Form 10-KSB, 4 Form 10-Q, 5 Form 10-QSB, 6 Form 20-F, 7 Form 40-F, 8 Rule 12b-15, 9 Rule 13a-14, 10 Rule 13a-15, 11 Rule 15d-14 12 and Rule 15d-15 13 under the Securities Exchange Act of 1934 (the "Exchange Act"); 14 amending Rules 1-02 and 2-02 15 of Regulation S-X; 16 amending Rules 8b-15, 17 30a-2 18 and 30a-3 19 under the Investment Company Act of 1940 ("Investment Company Act"); 20 and amending Forms N-CSR 21 and N-SAR 22 under the Exchange Act and the Investment Company Act.
TABLE OF CONTENTS
- BACKGROUND
- DISCUSSION OF AMENDMENTS IMPLEMENTING SECTION 404
- Definition of Internal Control
- Management's Annual Assessment of, and Report on, the Company's Internal Control over Financial Reporting
- Quarterly Evaluations of Internal Control over Financial Reporting
- Differences between Internal Control over Financial Reporting and Disclosure Controls and Procedures
- Evaluation of Disclosure Controls and Procedures
- Periodic Disclosure about the Certifying Officers' Evaluation of the Company's Disclosure Controls and Procedures and Disclosure about Changes to its Internal Control over Financial Reporting
- Existing Disclosure Requirements
- Proposed Amendments to the Disclosure Requirements
- Final Disclosure Requirements
- Conclusions Regarding Effectiveness of Disclosure Controls and Procedures
- Existing Disclosure Requirements
- Attestation to Management's Internal Control Report by the Company's Registered Public Accounting Firm
- Types of Companies Affected
- Foreign Private Issuers
- Asset-Backed Issuers
- Small Business Issuers
- Bank and Thrift Holding Companies
- Foreign Private Issuers
- Registered Investment Companies
- Transition Period
- Definition of Internal Control
- DISCUSSION OF AMENDMENTS RELATED TO CERTIFICATIONS
- Proposed Rules
- Final Rules
- Effect on Interim Guidance Regarding Filing Procedures
- Form of Section 302 Certifications
- Transition Period
- Proposed Rules
- PAPERWORK REDUCTION ACT
- COST-BENEFIT ANALYSIS
- EFFECT ON EFFICIENCY, COMPETITION AND CAPITAL FORMATION
- FINAL REGULATORY FLEXIBILITY ANALYSIS
- STATUTORY AUTHORITY AND TEXT OF RULE AMENDMENTS
I. BACKGROUND
A. Management's Report on Internal Control over Financial Reporting
In this release, we implement Section 404 of the Sarbanes-Oxley Act of 2002 (the "Sarbanes-Oxley Act"), 23 which requires us to prescribe rules requiring each annual report that a company, other than a registered investment company, 24 files pursuant to Section 13(a) or 15(d) of the Exchange Act to contain an internal control report: (1) stating management's responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) containing an assessment, as of the end of the company's most recent fiscal year, of the effectiveness of the company's internal control structure and procedures for financial reporting. Section 404 also requires every registered public accounting firm that prepares or issues an audit report on a company's annual financial statements to attest to, and report on, the assessment made by management. The attestation must be made in accordance with standards for attestation engagements issued or adopted by the Public Company Accounting Oversight Board ("PCAOB"). 25 Section 404 further stipulates that the attestation cannot be the subject of a separate engagement of the registered public accounting firm.
We received over 200 comment letters in response to our release proposing requirements to implement Sections 404, 406 and 407 of the Sarbanes-Oxley Act. 26 Of these, 61 respondents commented on the Section 404 proposals. 27 These comment letters came from corporations, professional associations, accountants, law firms, consultants, academics, investors and others. In general, the commenters supported the objectives of the proposed new requirements. Investors supported the manner in which we proposed to achieve these objectives and, in some cases, urged us to require additional disclosure from companies. Other commenters, however, thought that we were requiring more disclosure than necessary to fulfill the mandates of the Sarbanes-Oxley Act and suggested modifications to the proposals. We have reviewed and considered all of the comments that we received on the proposals. The adopted rules reflect many of these comments -- we discuss our conclusions with respect to each topic and related comments in more detail throughout the release.
B. Certifications
We also are adopting amendments to require companies to file the certifications mandated by Sections 302 and 906 of the Sarbanes-Oxley Act as exhibits to annual, semi-annual and quarterly reports. Section 302 required the Commission to adopt final rules that were to be effective by August 29, 2002, under which the principal executive and principal financial officers, or persons performing similar functions, of a company filing periodic reports under Section 13(a) or 15(d) of the Exchange Act 28 must provide a certification in each quarterly and annual report filed with the Commission. Section 906 of the Sarbanes-Oxley Act added new Section 1350 to Title 18 of the United States Code, 29 which contains a certification requirement subject to specific federal criminal provisions and that is separate and distinct from the certification requirement mandated by Section 302. 30 On August 28, 2002, we adopted Exchange Act Rules 13a-14 and 15d-14 and Investment Company Act Rule 30a-2 and amended our periodic report forms to implement the statutory directive in Section 302. 31 These rules and amendments became effective on August 29, 2002. On January 27, 2003, we adopted Form N-CSR to be used by registered management investment companies to file certified shareholder reports with the Commission. 32 The provisions added to Title 18 by Section 906 were by their terms effective on enactment of the Sarbanes-Oxley Act.
To enhance the ability of interested parties to effectively access the certifications through our Electronic Data Gathering, Analysis and Retrieval ("EDGAR") system and thereby enhance compliance with the certification requirements, we proposed to amend our rules and forms to require a company to file the certifications as an exhibit to the periodic reports to which they relate. 33 The proposals addressed both Section 302 and 906 certifications. After discussions with the Department of Justice, we concluded that, in light of the inconsistent methods that companies have been employing to fulfill their obligations under Section 906, 34 an exhibit requirement would consistently enable investors and the Commission staff, as well as the Department of Justice, to more effectively monitor compliance with this certification requirement.
II. DISCUSSION OF AMENDMENTS IMPLEMENTING SECTION 404
A. Definition of Internal Control
The proposed rules would have defined the term "internal controls and procedures for financial reporting" 35 to mean controls that pertain to the preparation of financial statements for external purposes that are fairly presented in conformity with generally accepted accounting principles as addressed by the Codification of Statements on Auditing Standards §319 or any superseding definition or other literature that is issued or adopted by the Public Company Accounting Oversight Board.
As noted in the Proposing Release, there has been some confusion over the exact meaning and scope of the term "internal control," because the definition of the term has evolved over time. Historically, the term "internal control" was applied almost exclusively within the accounting profession. 36 As the auditing of financial statements evolved from a process of detailed testing of transactions and account balances towards a process of sampling and testing, greater consideration of a company's internal controls became necessary in planning an audit. 37 If an internal control component had been adequately designed, then the auditor could limit further consideration of that control to procedures to determine whether the control had been placed in operation. Accordingly, the auditor could rely on the control to serve as a basis to reduce the amount, timing or extent of substantive testing in the execution of an audit. Conversely, if an auditor determined that an internal control component was inadequate in its design or operation, then the auditor could not rely upon that control. In this instance, the auditor would conduct tests of transactions and perform additional analyses in order to accumulate sufficient, competent audit evidence to support its opinion on the financial statements.
From the outset, it was recognized that internal control is a broad concept that extends beyond the accounting functions of a company. Early attempts to define the term focused primarily on clarifying the portion of a company's internal control that an auditor should consider when planning and performing an audit of a company's financial statements. 38 However, this did not improve the level of understanding of the term, nor satisfactorily provide the guidance sought by auditors. Successive definitions and formal studies of the concept of internal control followed.
In 1977, based on recommendations of the Commission, Congress enacted the Foreign Corrupt Practices Act ("FCPA"). 39 The FCPA codified the accounting control provisions contained in Statement of Auditing Standards No. 1 (codified as AU §320 in the Codification of Statements on Auditing Standards). Under the FCPA, companies that have a class of securities registered under Section 12 of the Exchange Act, or that are required to file reports under Section 15(d) of the Exchange Act, are required to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that:
- transactions are executed in accordance with management's general or specific authorization;
- transactions are recorded as necessary (1) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (2) to maintain accountability for assets;
- access to assets is permitted only in accordance with management's general or specific authorization; and
- the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences. 40
In 1985, a private-sector initiative known as the National Commission on Fraudulent Financial Reporting, also known as the Treadway Commission, was formed to study the financial reporting system in the United States. In 1987, the Treadway Commission issued a report recommending that its sponsoring organizations work together to integrate the various internal control concepts and definitions and to develop a common reference point.
In response, the Committee of Sponsoring Organizations of the Treadway Commission ("COSO") 41 undertook an extensive study of internal control to establish a common definition that would serve the needs of companies, independent public accountants, legislators and regulatory agencies, and to provide a broad framework of criteria against which companies could evaluate the effectiveness of their internal control systems. In 1992, COSO published its Internal Control -- Integrated Framework . 42 The COSO Framework defined internal control as "a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives" in three categories--effectiveness and efficiency of operations; reliability of financial reporting; and compliance with applicable laws and regulations. COSO further stated that internal control consists of: the control environment, risk assessment, control activities, information and communication, and monitoring. The scope of internal control therefore extends to policies, plans, procedures, processes, systems, activities, functions, projects, initiatives, and endeavors of all types at all levels of a company.
In 1995, the AICPA incorporated the definition of internal control set forth in the COSO Report in Statement on Auditing Standards No. 78 (codified as AU §319 in the Codification of Statements on Auditing Standards). 43 Although we recognized that the AU §319 definition was derived from the COSO definition, our proposal referred to AU §319 because we thought that the former constituted a more formal and widely-accessible version of the definition than the latter.
We received comments from 25 commenters on the proposed definition of "internal control and procedures for financial reporting." Eleven commenters stated that the proposed definition of internal control was appropriate or generally agreed with the proposal. 44 Two of these noted that the definition in AU §319 had been adopted by the bank regulatory agencies for use by banking institutions. 45 Fourteen of the 25 commenters opposed the proposed definition. Two of these asserted that the proposed definition was too complex and would not resolve the confusion that existed over the meaning or scope of the term.
Several of the commenters that were opposed to the proposed definition thought that we should refer to COSO for the definition of internal control, rather than AU §319. 46 Some of these commenters noted that the objective of AU §319 is to provide guidance to auditors regarding their consideration of internal control in planning and performing an audit of financial statements. The common concern of these commenters was that AU §319 does not provide any measure or standard by which a company's management can determine that internal control is effective, nor does it define what constitutes effective internal control. One commenter believed that absent such evaluative criteria or definition of effectiveness, the proposed rules could not be implemented effectively. 47 In addition, several of the commenters opposed to the proposed definition suggested that we use the term "internal control over financial reporting" rather than the term "internal controls and procedures for financial reporting," 48 on the ground that the former is more consistent with the terminology currently used within the auditing literature.
A few of the commenters urged us to adopt a considerably broader definition of internal control that would focus not only on internal control over financial reporting, but also on internal control objectives associated with enterprise risk management and corporate governance. While we agree that these are important objectives, the definition that we are adopting retains a focus on financial reporting, consistent with our position articulated in the Proposing Release. We are not adopting a more expansive definition of internal control for a variety of reasons. Most important, we believe that Section 404 focuses on the element of internal control that relates to financial reporting. In addition, many commenters indicated that even the more limited definition related to financial reporting that we proposed will impose substantial reporting and cost burdens on companies. Finally, independent accountants traditionally have not been responsible for reviewing and testing, or attesting to an assessment by management of, internal controls that are outside the boundary of financial reporting.
After consideration of the comments, we have decided to make several modifications to the proposed amendments. We agree that we should use the term "internal control over financial reporting" in our amendments to implement Section 404, as well as our revisions to the Section 302 certification requirements and forms of certification. 49 Rapidly changing terminology has been one obstacle in the development of an accepted understanding of internal control. The term "internal control over financial reporting" is the predominant term used by companies and auditors and best encompasses the objectives of the Sarbanes-Oxley Act. In addition, by using this term, we avoid having to familiarize investors, companies and auditors with new terminology, which should lessen any confusion that may exist about the meaning and scope of internal control.
The final rules define "internal control over financial reporting" as:
A process designed by, or under the supervision of, the registrant's principal executive and principal financial officers, or persons performing similar functions, and effected by the registrant's board of directors, 50 management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:
(1) Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the registrant;
(2) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the registrant are being made only in accordance with authorizations of management and directors of the registrant; and
(3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant's assets that could have a material effect on the financial statements. 51
We recognize that our definition of the term "internal control over financial reporting" reflected in the final rules encompasses the subset of internal controls addressed in the COSO Report that pertains to financial reporting objectives. Our definition does not encompass the elements of the COSO Report definition that relate to effectiveness and efficiency of a company's operations and a company's compliance with applicable laws and regulations, with the exception of compliance with the applicable laws and regulations directly related to the preparation of financial statements, such as the Commission's financial reporting requirements. 52 Our definition is consistent with the description of internal accounting controls in Exchange Act Section 13(b)(2)(B). 53
Following the general language defining internal control over financial reporting, clauses (1) and (2) include the internal control matters described in Section 103 of the Sarbanes-Oxley Act that the company's registered public accounting firm is required to evaluate in its audit or attestation report. 54 This language is included to make clear that the assessment of management in its internal control report as to which the company's registered public accounting firm will be required to attest and report specifically covers the matters referenced in Section 103. A few commenters believed that it would cause confusion if the definition of internal control did not acknowledge the objectives set forth in Section 103 of the Sarbanes-Oxley Act. As discussed in Section II.G below, the PCAOB is responsible for establishing the Section 103 standards.
Our definition also includes, in clause (3), explicit reference to assurances regarding use or disposition of the company's assets. This provision is specifically included to make clear that, for purposes of our definition, the safeguarding of assets is one of the elements of internal control over financial reporting and it addresses the supplementation of the COSO Framework after it was originally promulgated. In the absence of our change to the definition, the determination of whether control regarding the safeguarding of assets falls within a company's internal control over financial reporting currently could be subject to varying interpretation.
Safeguarding of assets had been a primary objective of internal accounting control in SAS No. 1. In 1988, the ASB issued Statement of Auditing Standards No. 55 (codified as AU §319 in the Codification of Statements on Auditing Standards), which replaced AU §320. SAS No. 55 revised the definition of "internal control" and expanded auditors' responsibilities for considering internal control in a financial statement audit. The prior classification of internal control into the two categories of "internal accounting control" and "administrative control" was replaced with the single term "internal control structure," which consisted of three interrelated components--control environment, the accounting system and control procedures. Under this new definition, the safeguarding of assets was no longer a primary objective, but a subset of the control procedures component. 55 The COSO Report followed this shift in the iteration of safeguarding of assets. The COSO Report states that operations objectives "pertain to effectiveness and efficiency of the entity's operations, including performance and profitability goals and safeguarding resources against loss." 56 However, the report also clarifies that safeguarding of assets can fall within other categories of internal control. 57
In 1994, COSO published an addendum to the Reporting to External Parties volume of the COSO Report. The addendum was issued in response to a concern expressed by some parties, including the U.S. General Accounting Office, that the management reports contemplated by the COSO Report did not adequately address controls relating to safeguarding of assets and therefore would not fully respond to the requirements of the FCPA. 58 In the addendum, COSO concluded that while it believed its definition of internal control in its 1992 report remained appropriate, it recognized that the FCPA encompasses certain controls related to safeguarding of assets and that there is a reasonable expectation on the part of some readers of management's internal control reports that the reports will cover such controls. The addendum therefore sets forth the following definition of the term "internal control over safeguarding of assets against unauthorized acquisition, use or disposition":
Internal control over safeguarding of assets against unauthorized acquisition, use or disposition is a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the entity's assets that could have a material effect on the financial statements.
As indicated above, to achieve the desired result and to provide consistency with COSO's 1994 addendum, we have incorporated this definition into our definition of "internal control over financial reporting." We are persuaded that this is appropriate given the fact that our definition will be used for purposes of public management reporting, and that the companies that will be subject to the Section 404 requirements also are subject to the FCPA requirements. So, under the final rules, safeguarding of assets as provided is specifically included in our definition of "internal control over financial reporting."
B. Management's Annual Assessment of, and Report on, the Company's Internal Control over Financial Reporting
We proposed to amend Item 307 of Regulations S-K and S-B, as well as Forms 20-F and 40-F, to require a company's annual report to include an internal control report of management containing:
- A statement of management's responsibility for establishing and maintaining adequate internal controls and procedures for financial reporting;
- The conclusions of management about the effectiveness of the company's internal controls and procedures for financial reporting based on management's evaluation of those controls and procedures; and
- A statement that the registered public accounting firm that prepared or issued the company's audit report relating to the financial statements included in the company's annual report has attested to, and reported on, management's evaluation of the company's internal controls and procedures for financial reporting.
The proposed amendments did not list any additional disclosure requirements for the management report, but rather would have afforded management the flexibility to tailor the report to fit its company's particular circumstances.
We received comments from 17 commenters on our proposed annual internal control report requirements. All of these commenters believed, in varying degrees, that we should set forth additional disclosure criteria or standards for the management report. Nine commenters stated that we should provide guidance as to the topics to be addressed in the management report, or specify standards or a common set of internal control objectives to be considered by management when assessing the effectiveness of its company's internal control over financial reporting to ensure that control objectives are addressed in a consistent fashion. 59 These commenters believed that consistent standards for management's report on internal control would help investors to understand and compare the quality of various management internal control reports.
Several commenters also thought that we should require management's internal control report to include certain recitations that would parallel recitations that the registered public accounting firm would have to make in its report attesting to management's assessment. 60 Additional commenters believed that the management report on internal control should specifically reference the objectives contained in Section 103 of the Sarbanes-Oxley Act. 61 Furthermore, although Section 404(b) of the Sarbanes-Oxley Act does not explicitly direct us to require companies to file the registered public accounting firms' attestation reports as part of the companies' annual report filings, we proposed a filing requirement that most of those commenting on this aspect of the proposal supported.
After evaluating the comments received, we are adopting the proposals with several modifications. The final rules require a company's annual report to include an internal control report of management that contains:
- A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company;
- A statement identifying the framework used by management to conduct the required evaluation of the effectiveness of the company's internal control over financial reporting;
- Management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year, including a statement as to whether or not the company's internal control over financial reporting is effective. 62 The assessment must include disclosure of any "material weaknesses" 63 in the company's internal control over financial reporting identified by management. Management is not permitted to conclude that the company's internal control over financial reporting is effective if there are one or more material weaknesses in the company's internal control over financial reporting; and
- A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management's assessment of the registrant's internal control over financial reporting. 64
As proposed, our final rules also require a company to file, as part of the company's annual report, the attestation report of the registered public accounting firm that audited the company's financial statements.
a. Evaluation of Internal Control over Financial Reporting
In the Proposing Release, we requested comment on whether we should establish specific evaluative criteria for management's report on internal control. All of the commenters responding to this request supported the establishment of such evaluative criteria in order to improve comparability among the standards used by companies to conduct their annual internal control evaluations. 65 Several commenters believed that we either should adopt the COSO Framework as the means by which management must evaluate its company's internal control over financial reporting or, alternatively, simply acknowledge the COSO Framework as being suitable for purposes of management's evaluation. Other commenters suggested that we require management to evaluate the effectiveness of a company's internal control over financial reporting using suitable control criteria established by a group that follows due process procedures.
After consideration of the comments, we have modified the final requirements to specify that management must base its evaluation of the effectiveness of the company's internal control over financial reporting on a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment. 66
The COSO Framework satisfies our criteria and may be used as an evaluation framework for purposes of management's annual internal control evaluation and disclosure requirements. However, the final rules do not mandate use of a particular framework, such as the COSO Framework, in recognition of the fact that other evaluation standards exist outside of the United States, 67 and that frameworks other than COSO may be developed within the United States in the future, that satisfy the intent of the statute without diminishing the benefits to investors. The use of standard measures that are publicly available will enhance the quality of the internal control report and will promote comparability of the internal control reports of different companies. The final rules require management's report to identify the evaluation framework used by management to assess the effectiveness of the company's internal control over financial reporting. 68
Specifically, a suitable framework must: be free from bias; permit reasonably consistent qualitative and quantitative measurements of a company's internal control; be sufficiently complete so that those relevant factors that would alter a conclusion about the effectiveness of a company's internal controls are not omitted; and be relevant to an evaluation of internal control over financial reporting. 69
b. Auditor Independence Issues
Because the auditor is required to attest to management's assessment of internal control over financial reporting, management and the company's independent auditors will need to coordinate their processes of documenting and testing the internal controls over financial reporting. However, we remind companies and their auditors that the Commission's rules on auditor independence prohibit an auditor from providing certain nonaudit services to an audit client. 70 As the Commission stated in its auditor independence release, auditors may assist management in documenting internal controls. When the auditor is engaged to assist management in documenting internal controls, management must be actively involved in the process. We understand the need for coordination between management and the auditor, however, we remind companies and auditors that management cannot delegate its responsibility to assess its internal controls over financial reporting to the auditor. 71 The rules adopted today do not amend the Commission's rules on auditor independence.
c. Material Weaknesses in Internal Control over Financial Reporting
In the Proposing Release, we did not propose any specific standard on which management would base its conclusion that the company's internal control over financial reporting is effective. We requested comment on whether we should prescribe specific standards upon which an effectiveness determination would be based, and also what standards we should consider. Several commenters agreed that the final rules should specify standards, and all believed that the existence of a material weakness in internal control over financial reporting should preclude a conclusion by management that a registrant's internal control over financial reporting is effective. We have considered these comments, and agree that the rules should set forth this threshold for concluding that a company's internal control over financial reporting is effective.
The final rules therefore preclude management from determining that a company's internal control over financial reporting is effective if it identifies one or more material weaknesses in the company's internal control over financial reporting. 72 For purposes of the final rules, the term "material weakness" has the same meaning as in the definition under GAAS and attestation standards. 73 The final rules also specify that management's report must include disclosure of any "material weakness" in the company's internal control over financial reporting identified by management in the course of its evaluation. 74
Many commenters addressed the method of evaluating internal control over financial reporting, and some sought additional precision or guidance regarding the extent of evaluation, including the documentation required. 75 The methods of conducting evaluations of internal control over financial reporting will, and should, vary from company to company. Therefore, the final rules do not specify the method or procedures to be performed in an evaluation. However, in conducting such an evaluation and developing its assessment of the effectiveness of internal control over financial reporting, a company must maintain evidential matter, including documentation, to provide reasonable support for management's assessment of the effectiveness of the company's internal control over financial reporting. Developing and maintaining such evidential matter is an inherent element of effective internal controls. 76 An instruction to new Item 308 of Regulations S-K and S-B and Forms 20-F and 40-F reminds registrants to maintain such evidential matter. 77
The assessment of a company's internal control over financial reporting must be based on procedures sufficient both to evaluate its design and to test its operating effectiveness. Controls subject to such assessment include, but are not limited to: controls over initiating, recording, processing and reconciling account balances, classes of transactions and disclosure and related assertions included in the financial statements; controls related to the initiation and processing of non-routine and non-systematic transactions; controls related to the selection and application of appropriate accounting policies; and controls related to the prevention, identification, and detection of fraud. The nature of a company's testing activities will largely depend on the circumstances of the company and the significance of the control. However, inquiry alone generally will not provide an adequate basis for management's assessment. 78
An assessment of the effectiveness of internal control over financial reporting must be supported by evidential matter, including documentation, regarding both the design of internal controls and the testing processes. This evidential matter should provide reasonable support: for the evaluation of whether the control is designed to prevent or detect material misstatements or omissions; for the conclusion that the tests were appropriately planned and performed; and that the results of the tests were appropriately considered. The public accounting firm that is required to attest to, and report on, management's assessment of the effectiveness of the company's internal control over financial reporting also will require that the company develop and maintain such evidential matter to support management's assessment. 79
e. Location of Management's Report
Although the final rules do not specify where management's internal control report must appear in the company's annual report, we think it is important for management's report to be in close proximity to the corresponding attestation report issued by the company's registered public accounting firm. We expect that many companies will choose to place the internal control report and attestation report near the companies' MD&A disclosure or in a portion of the document immediately preceding the companies' financial statements.
C. Quarterly Evaluations of Internal Control over Financial Reporting
We proposed to require a company's certifying officers to evaluate the effectiveness of the company's internal controls and procedures for financial reporting as of the end of the period covered by each annual and quarterly report that the company is required to file under the Exchange Act. The company's certifying officers already are required to evaluate the effectiveness of the company's disclosure controls and procedures on a quarterly basis. 80 We noted that a quarterly evaluation requirement with respect to internal controls would create symmetry between our requirements for periodic evaluations of both the company's disclosure controls and procedures and its internal controls and procedures for financial reporting, and give effect to the language in the Section 302 certification requirements regarding quarterly internal control evaluations.
We received responses from 25 commenters on the proposed amendments. Of the 25 commenters, four supported the proposal to require quarterly evaluations of internal controls and procedures for financial reporting. 81 One commenter specifically concurred with our objective of creating symmetry between the requirements to conduct periodic evaluations of both the company's disclosure controls and procedures and its internal controls and procedures for financial reporting. 82
Twenty-one commenters opposed quarterly evaluations of internal controls. 83 Many of these believed that quarterly evaluations would impose substantial additional costs on companies without producing any incremental benefit to investors. One individual stated that the proper evaluation of a company's system of internal controls is a weighty and time-consuming process. 84 Twelve of the commenters opposed to quarterly evaluations indicated that quarterly evaluations of all aspects of internal controls and procedures would be extremely burdensome, expensive and difficult to perform under the time constraints of quarterly reporting, particularly as the accelerated filing deadlines for quarterly reports take effect. 85 Several other commenters argued that we should not go beyond the requirements of Section 404 of the Sarbanes-Oxley Act with respect to the frequency of internal control reporting without an adequate basis for doing so. 86 These commenters remarked that such a decision would be better made after we have had sufficient experience with the Section 302 certification requirements adopted in August of 2002.
Several commenters suggested alternatives to quarterly evaluations. Five commenters stated that it would be more appropriate and desirable if companies were required to make quarterly disclosure only of material changes to their internal control that occurred subsequent to management's most recent annual internal control evaluation. 87 Two other commenters similarly recommended that the quarterly evaluation be less rigorous than the annual evaluation. 88 One commenter stated that we should instead adopt an approach that requires less effort and assurance for purposes of quarterly reports, such as permitting companies to test compliance with controls relating to major applications on a rotating basis throughout the year. 89 This commenter further stated that the objective of the quarterly evaluation should be to identify changes in controls during the quarter and evaluate whether they would change the certifying officers' conclusions about disclosure controls and internal controls as stated in the most recent annual report. The other commenter, although opposed to any quarterly evaluation requirement, believed that if we did require it, the quarterly evaluation should be viewed as an update of the annual evaluation, just as the quarterly report on Form 10-Q is an update of the annual report on Form 10-K. 90 One commenter stated that if we require some form of quarterly certification, it should be limited to negative assurance that nothing has come to the certifying officers' attention since the prior year's evaluation to suggest that the controls are no longer effective. 91
After consideration of the comments received, we have decided not to require quarterly evaluations of internal control over financial reporting that are as extensive as the annual evaluation. We recognize that some controls operate continuously while others operate only at certain times, such as the end of the fiscal year. We believe that each company should be afforded the flexibility to design its system of internal control over financial reporting to fit its particular circumstances. The management of each company should perform evaluations of the design and operation of the company's entire system of internal control over financial reporting over a period of time that is adequate for it to determine whether, as of the end of the company's fiscal year, the design and operation of the company's internal control over financial reporting are effective.
Accordingly, we are adopting amendments that require a company's management, with the participation of the principal executive and financial officers, to evaluate any change in the company's internal control over financial reporting that occurred during a fiscal quarter that has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting. We also have adopted a modification to the Section 302 certification requirement and our disclosure requirements to adopt this approach, as discussed below.
The management of a foreign private issuer that has Exchange Act reporting obligations must also, like its domestic counterparts, report any material changes to the issuer's internal control over financial reporting. However, because foreign private issuers are not required to file quarterly reports under Section 13(a) or 15(d) of the Exchange Act, the final rules clarify that a foreign private issuer's management need only disclose in the issuer's annual report the material changes to its internal control over financial reporting that have occurred in the period covered by the annual report. 92
D. Differences between Internal Control over Financial Reporting and Disclosure Controls and Procedures
Many of the commenters on the Proposing Release indicated that they were confused as to the differences between a company's disclosure controls and procedures and a company's internal control over financial reporting. Exchange Act Rule 13a-15(d) defines "disclosure controls and procedures" to mean controls and procedures of a company that are designed to ensure that information required to be disclosed by the company in the reports that it files or submits under the Exchange Act is recorded, processed, summarized and reported, within the time periods specified in the Commission's rules and forms. The definition further states that disclosure controls and procedures include, without limitation, controls and procedures designed to ensure that the information required to be disclosed by a company in the reports that it files or submits under the Exchange Act is accumulated and communicated to the company's management, including its principal executive and principal financial officers, or persons performing similar functions, as appropriate to allow timely decisions regarding required disclosure.
While there is substantial overlap between a company's disclosure controls and procedures and its internal control over financial reporting, there are both some elements of disclosure controls and procedures that are not subsumed by internal control over financial reporting and some elements of internal control that are not subsumed by the definition of disclosure controls and procedures.
With respect to the latter point, clearly, the broad COSO description of internal control, which includes the efficiency and effectiveness of a company's operations and the company's compliance with laws and regulations (not restricted to the federal securities laws), would not be wholly subsumed within the definition of disclosure controls and procedures. A number of commenters suggested that the narrower concept of internal control, involving internal control over financial reporting, is a subset of a company's disclosure controls and procedures, given that the maintenance of reliable financial reporting is a prerequisite to a company's ability to submit or file complete disclosure in its Exchange Act reports on a timely basis. This suggestion focuses on the fact that the elements of internal control over financial reporting requiring a company to have a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles can be viewed as a subset of disclosure controls and procedures.
We agree that some components of internal control over financial reporting will be included in disclosure controls and procedures for all companies. In particular, disclosure controls and procedures will include those components of internal control over financial reporting that provide reasonable assurances that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles. However, in designing their disclosure controls and procedures, companies can be expected to make judgments regarding the processes on which they will rely to meet applicable requirements. In doing so, some companies might design their disclosure controls and procedures so that certain components of internal control over financial reporting pertaining to the accurate recording of transactions and disposition of assets or to the safeguarding of assets are not included. For example, a company might have developed internal control over financial reporting that includes as a component of safeguarding of assets dual signature requirements or limitations on signature authority on checks. That company could nonetheless determine that this component is not part of disclosure controls and procedures. We therefore believe that while there is substantial overlap between internal control over financial reporting and disclosure controls and procedures, many companies will design their disclosure controls and procedures so that they do not include all components of internal control over financial reporting.
E. Evaluation of Disclosure Controls and Procedures
The rules in place starting in August 2002 requiring quarterly evaluations of disclosure controls and procedures and disclosure of the conclusions regarding effectiveness of disclosure controls and procedures have not been substantively changed since their adoption, including in the rules that we adopt today. These evaluation and disclosure requirements will continue to apply to disclosure controls and procedures, including the elements of internal control over financial reporting that are subsumed within disclosure controls and procedures.
With respect to evaluations of disclosure controls and procedures, companies must, under our rules and consistent with the Sarbanes-Oxley Act, evaluate the effectiveness of those controls and procedures on a quarterly basis. While the evaluation is of effectiveness overall, a company's management has the ability to make judgments (and it is responsible for its judgments) that evaluations, particularly quarterly evaluations, should focus on developments since the most recent evaluation, areas of weakness or continuing concern or other aspects of disclosure controls and procedures that merit attention. Finally, the nature of the quarterly evaluations of those components of internal control over financial reporting that are subsumed within disclosure controls and procedures should be informed by the purposes of disclosure controls and procedures. 93
The rules adopted in August 2002 required the management of an Exchange Act reporting foreign private issuer to evaluate and disclose conclusions regarding the effectiveness of the issuer's disclosure controls and procedures only in its annual report and not on a quarterly basis. The primary reason for this treatment is because foreign private issuers are not subject to mandated quarterly reporting requirements under the Exchange Act. The rules adopted today continue this treatment. 94
F. Periodic Disclosure about the Certifying Officers' Evaluation of the Company's Disclosure Controls and Procedures and Disclosure about Changes to its Internal Control over Financial Reporting
1. Existing Disclosure Requirements
The rules that we adopted in August 2002 to implement the certification requirements of Section 302 of the Sarbanes-Oxley Act included new Item 307 of Regulations S-B and S-K. Paragraph (a) of Item 307 requires companies, in their quarterly and annual reports, to disclose the conclusions of the company's principal executive and financial officers (or persons performing similar functions) about the effectiveness of the company's disclosure controls and procedures as of a date within 90 days of the filing date of the quarterly or annual report. This disclosure enables the certifying officers to satisfy the representation made in their certifications that they have "presented in the quarterly or annual report their conclusions about the effectiveness of the disclosure controls and procedures based on their evaluation."
Paragraph (b) of Item 307 requires the company to disclose in each quarterly and annual report whether or not there were significant changes in the company's internal controls or in other factors that could significantly affect these controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses. This disclosure enables the certifying officers to satisfy the representation made in their certifications that they have "indicated in the quarterly or annual report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their most recent evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses."
2. Proposed Amendments to the Disclosure Requirements
In the Proposing Release, we proposed several revisions to the existing disclosure requirements regarding: (1) the certifying officers' evaluation of the company's disclosure controls and procedures; and (2) changes to the company's internal control over financial reporting. We also proposed to require quarterly disclosure regarding the conclusions of the certifying officers about the effectiveness of the company's internal control over financial reporting.
Moreover, we proposed to require evaluations of both types of controls as of the end of the period covered by the quarterly or annual report, rather than "as of a date within 90 days of the filing date" of the quarterly or annual report, as currently required with respect to disclosure controls. With respect to the disclosure about changes to the company's internal control over financial reporting, we proposed to require a company to disclose "any significant changes made during the period covered by the quarterly or annual report" rather than "whether or not there were significant changes in the company's internal control over financial reporting that could significantly affect these controls subsequent to the date of their evaluation."
The commenters were mixed in their reaction to these proposed changes. A couple of the commenters remarking on the point at which a company must undertake an evaluation of its controls "strongly agreed" with the proposed change to require evaluations as of the end of the period. Several other commenters preferred the existing "90 days within the filing date" evaluation point, noting that it provides more flexibility than the fixed point. Some of these commenters expressed concern that it would be hard to conduct evaluations on the last day of the period. One of the commenters suggested that the proposed requirement that a company disclose changes to its internal control over financial reporting that occurred at any time during a fiscal quarter was inconsistent with the proposed requirement that management evaluate such changes "as of the end of each fiscal quarter." 95 An additional commenter asserted that it was critical that we offer companies some guidance as to the types of changes that constitute "significant changes." 96 Finally, a few commenters noted that while we had proposed to delete the words "or other factors" from Exchange Act Rules 13a-14(b)(6) and 15d-14(b)(6) regarding disclosure of "significant changes in internal controls or in other factors that could significantly affect internal controls...," we had not likewise proposed to delete those words from the actual certification language.
3. Final Disclosure Requirements
After consideration of the comments, we are adopting the proposals with several modifications. We are adopting as proposed the change of the evaluation date for disclosure controls to "as of the end of the period" covered by the quarterly or annual report. We are not specifying the point at which management must evaluate changes to the company's internal control over financial reporting. Given that the final rules do not require a company to state the conclusions of the certifying officers regarding the effectiveness of the company's internal control over financial reporting as of a particular date on a quarterly basis as proposed, as the company must with respect to disclosure controls and procedures, it is unnecessary to specify a date for the quarterly evaluation of changes in internal control over financial reporting. We believe that this change is consistent with the new accelerated reporting deadlines. 97
We are amending the proposal that would have required companies to disclose any significant changes in its internal controls. Under the final rules, a company must disclose any change in its internal control over financial reporting that occurred during the fiscal quarter covered by the quarterly report, or the last fiscal quarter in the case of an annual report, that has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting. 98 Furthermore, we have deleted the phrase "or in other factors" from Exchange Act Rules 13a-14 and 15d-15 and the form of certification. Although the final rules do not explicitly require the company to disclose the reasons for any change that occurred during a fiscal quarter, or to otherwise elaborate about the change, a company will have to determine, on a facts and circumstances basis, whether the reasons for the change, or other information about the circumstances surrounding the change, constitute material information necessary to make the disclosure about the change not misleading. 99
While an evaluation of the effectiveness of disclosure controls and procedures must be undertaken on a quarterly basis, we expect that for purposes of disclosure by domestic companies, the traditional relationship between disclosure in annual reports on Form 10-K and intervening quarterly reports on Form 10-Q will continue. Disclosure in an annual report that continues to be accurate need not be repeated. Rather, disclosure in quarterly reports may make appropriate reference to disclosures in the most recent annual report (and, where appropriate, intervening quarterly reports) and disclose subsequent developments required to be disclosed in the quarterly report.
We note that, as required by the Sarbanes-Oxley Act, the quarterly certification regarding disclosure that the certifying officers must make to the company's auditors and audit committee provides: 100
The company's other certifying officer(s) and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the company's auditors and the audit committee of the company's board of directors (or persons performing the equivalent functions):
(a) All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the company's ability to record, process, summarize and report financial information; and
(b) Any fraud, whether or not material, that involves management or other employees who have a significant role in the company's internal control over financial reporting.
We expect that if a certifying officer becomes aware of a significant deficiency, material weakness or fraud requiring disclosure outside of the formal evaluation process or after the management's most recent evaluation of internal control over financial reporting, he or she will disclose it to the company's auditors and audit committee.
4. Conclusions Regarding Effectiveness of Disclosure Controls and Procedures
In disclosures required under current Item 307 of Regulations S-K and S-B, Item 15 of Form 20-F and General Instruction B(6) to Form 40-F, some companies have indicated that disclosure controls and procedures are designed only to provide "reasonable assurance" that the controls and procedures will meet their objectives. In reviewing those disclosures, the Commission staff generally has not objected to that type of disclosure. The staff has, however, requested companies including that type of disclosure to set forth, if true, the conclusions of the principal executive and principal financial officer that the disclosure controls and procedures are, in fact, effective at the "reasonable assurance" level. Other companies have included disclosure that there is "no assurance" that the disclosure controls and procedures will operate effectively under all circumstances. In these instances, the staff has requested companies to clarify that the disclosure controls and procedures are designed to provide reasonable assurance of achieving their objectives and to set forth, if true, the conclusions of the principal executive and principal financial officers that the controls and procedures are, in fact, effective at the "reasonable assurance" level.
The concept of reasonable assurance is built into the definition of internal control over financial reporting that we are adopting. This conforms to the standard contained in the internal accounting control provisions of Section 13(b)(2) of the Exchange Act 101 and current auditing literature. 102 If management decides to include a discussion of reasonable assurance in the internal control report, the discussion must be presented in a manner that neither makes the disclosure in the report confusing nor renders management's assessment concerning the effectiveness of the company's internal control over financial reporting unclear.
G. Attestation to Management's Internal Control Report by the Company's Registered Public Accounting Firm
In the Proposing Release, we proposed to amend Rules 210.1-02 and 210.2-02 of Regulation S-X to make conforming revisions to Regulation S-X to reflect the registered public accounting firm attestation requirements mandated by Section 404(b) of the Sarbanes-Oxley Act. Under the proposals, we set forth a definition for the new term "attestation report on management's evaluation of internal control over financial reporting" and certain requirements for the accountant's attestation report. We are adopting the proposals substantially as proposed. However, the final rules define the expanded term "attestation report on management's evaluation of internal control over financial reporting." Several commenters suggested that we use this more specific term, noting that auditors currently perform attestation engagements on a broad variety of subjects. Amended Rule 2-02 requires every registered public accounting firm that issues an audit report on the company's financial statements that are included in its annual report required by Section 13(a) or 15(d) of the Exchange Act containing an assessment by management of the effectiveness of the registrant's internal control over financial reporting must attest to, and report on, such assessment.
At the time of the enactment of the Sarbanes-Oxley Act, the applicable standard for attestation by auditors of internal control over financial reporting was set forth in Statements on Standards for Attestation Engagements No. 10 ("SSAE No. 10"). That standard was used by auditors providing attestations on a voluntary basis to companies, as well as by auditors whose financial institution clients are required to obtain attestations under Federal Deposit Insurance Corporation Improvement Act of 1991, 103 as discussed below. Under the Sarbanes-Oxley Act, the PCAOB has become the body that sets auditing and attestation standards generally for registered public accounting firms to use in the preparation and issuance of audit reports on the financial statements of issuers, and under Section 404(b) of the Sarbanes-Oxley Act, the PCAOB is required to set standards for the registered public accounting firms' attestations to, and reports on, management's assessment regarding its internal control over financial reporting.
On April 16, 2003, the PCAOB designated Statements on Standards for Attestation Engagements as existed on April 16 as the standard for attestations of management's assessment of the effectiveness of internal control over financial reporting pending further PCAOB standard-setting in the area (and subject to our approval of the PCAOB's actions), and on April 25, we approved the PCAOB's action. SSAE No. 10 is thus the standard applicable on a transition basis for attestations required under Section 404 of the Act and the rules we are adopting today, again pending further PCAOB standard-setting (and our approval). We expect that the PCAOB will assess the appropriateness of those standards and modify them as needed, and any future standards adopted by the PCAOB will apply to registered public accounting firms in connection with the preparation and issuance of attestation reports on management's assessment of the effectiveness of internal control over financial reporting.
H. Types of Companies Affected
Section 404 of the Sarbanes-Oxley Act states that the Commission must prescribe rules that require each annual report required by Section 13(a) or 15(d) of the Exchange Act to contain an internal control report. The Act exempts registered investment companies from this requirement. 104
Section 404 of the Sarbanes-Oxley Act makes no distinction between domestic and foreign issuers and, by its terms, clearly applies to foreign private issuers. These amendments, therefore, apply the management report on internal control over financial reporting requirement to foreign private issuers that file reports under Section 13(a) or 15(d) of the Exchange Act. We have, however, adopted a later compliance date for foreign private issuers than for accelerated filers.
In the Proposing Release, we proposed to exclude issuers of asset-backed securities from the proposed rules implementing Section 404 of the Act. We noted that because of the unique nature of asset-backed issuers, such issuers are subject to substantially different reporting requirements. Most significantly, asset-backed issuers are generally not required to file the types of financial statements that other companies must file. Also, such entities typically are passive pools of assets, without a board of directors or persons acting in a similar capacity. We did not receive any comments on the proposed exclusion of asset-backed issuers from the internal control reporting requirements, and we are excluding asset-backed issuers from the new disclosure requirements as proposed.
Our proposed rules implementing Section 404 of the Act did not distinguish between large and small issuers. Similarly, Section 404 of the Act directs that the management report on internal control over financial reporting apply to any company filing periodic reports under Section 13(a) or 15(d) of the Exchange Act. Accordingly, these amendments apply to all issuers that file Exchange Act periodic reports, except registered investment companies, regardless of their size. However, we are sensitive that many small business issuers may experience difficulty in evaluating their internal control over financial reporting because these issuers may not have as formal or well-structured a system of internal control over financial reporting as larger companies. Accordingly, we are providing an extended compliance period for small business issuers and other companies that are not accelerated filers. 105 In addition, our approach of not mandating specific criteria to be used by management to evaluate a company's internal control over financial reporting should provide small issuers some flexibility in meeting these disclosure requirements.
4. Bank and Thrift Holding Companies
In the Proposing Release, we stated that we were coordinating with the Federal Deposit Insurance Corporation (the "FDIC") and the other federal banking regulators to eliminate, to the extent possible, any unnecessary duplication between our proposed internal control report and the FDIC's internal control report requirements. Under regulations adopted by the FDIC implementing Section 36 of the Federal Deposit Insurance Act, 106 a federally insured depository institution with total assets of $500 million or more ("institution"), is required, among other things, to prepare an annual management report that contains:
- A statement of management's responsibility for preparing the institution's annual financial statements, for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and for complying with designated laws and regulations relating to safety and soundness; 107 and
- Management's assessment of the effectiveness of the institution's internal control structure and procedures for financial reporting as of the end of the fiscal year and the institution's compliance with the designated safety and soundness laws and regulations during the fiscal year. 108
The FDIC's regulations additionally require the institution's independent accountant to examine, and attest to, management's assertions concerning the effectiveness of the institution's internal control structure and procedures for financial reporting. 109 The institution's management report and the accountant's attestation report must be filed with the FDIC, the institution's primary federal regulator (if other than the FDIC), and any appropriate state depository institution supervisor and must be available for public inspection. 110
Although bank and thrift holding companies are not required under the FDIC's regulations to prepare these internal control reports, many of these holding companies do so under a provision of Part 363 of the FDIC's regulations 111 that permits an insured depository institution that is the subsidiary of a holding company to satisfy its internal control report requirements with an internal control report of the consolidated holding company's management if:
- Services and functions comparable to those required of the subsidiary by Part 363 are provided at the holding company level; 112 and
- The subsidiary has, as of the beginning of its fiscal year, (i) total assets of less than $5 billion or (ii) total assets of $5 billion or more and a composite rating of 1 or 2 under the Uniform Financial Institutions Rating System. 113
Section 404 of the Sarbanes-Oxley Act does not contain an exemption for insured depository institutions that are both subject to the FDIC's internal control report requirements and required to file Exchange Act reports. In fact, it makes no distinction whatsoever between institutions subject to the FDIC's requirements and other types of Exchange Act filers. Accordingly, regardless of whether an insured depository institution is subject to the FDIC's requirements, insured depository institutions or holding companies that are required to file periodic reports under Section 13(a) or 15(d) of the Exchange Act are subject to the internal control reporting requirements that we are adopting today.
Although our final rules are similar to the FDIC's internal control report requirements, the rules differ in a few significant respects. Most notably, our final rules do not require a statement of compliance with designated laws and regulations relating to safety and soundness. Conversely, the following provisions in our rules are not included in the FDIC's regulations:
- The requirement that the report include a statement identifying the framework used by management to evaluate the effectiveness of the company's internal control over financial reporting; 114
- The requirement that management disclose any material weakness that it has identified in the company's internal control over financial reporting (and related stipulation that management is not permitted to conclude that the company's internal control over financial reporting is effective if there are one or more material weaknesses);
- The requirement that the company state that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management's assessment of the company's internal control over financial reporting; and
- The requirement that the company must provide the registered public accounting firm's attestation report on management's assessment of internal control over financial reporting in the company's annual report filed under the Exchange Act. 115
Several commenters generally supported our goal to eliminate or reduce duplicative reporting requirements. Some of these commenters asserted that we should recognize the substantial protections to depositors and investors provided by the federal laws that govern depository institutions and their holding companies. They suggested that our final rules should state that compliance with the FDIC's internal control report requirements satisfies the internal control report requirements that we are adopting under Section 404. A number of these commenters also thought that if we did not exempt insured depository institutions already filing internal control reports under the FDIC's requirements, we should provide an exemption in our rules mirroring the FDIC's exemption that excludes insured depository institutions or their holding companies with less than $500 million in assets from the internal control report requirements.
After consultation with the staffs of the FDIC, the Federal Reserve Board, the Office of Thrift Supervision and the Office of the Comptroller of Currency, we have determined that insured depository institutions that are subject to Part 363 of the FDIC's regulations (as well as holding companies permitted to file an internal control report on behalf of their insured depository institution subsidiaries in satisfaction of these regulations) and also subject to our new rules implementing Section 404 of the Sarbanes-Oxley Act 116 should be afforded considerable flexibility in determining how best to satisfy both sets of requirements. Therefore, they can choose either of the following two options:
- They can prepare two separate management reports to satisfy the FDIC's and our new requirements; or
- They can prepare a single management report that satisfies both the FDIC's requirements and our new requirements.
If an insured depository institution or its holding company chooses to prepare a single report to satisfy both sets of requirements, the report of management on the institution's or holding company's internal control over financial reporting (as defined in Exchange Act Rule 13a-15(f) or 15d-15(f)) will have to contain the following: 117
- A statement of management's responsibility for preparing the registrant's annual financial statements, for establishing and maintaining adequate internal control over financial reporting for the registrant, and for the institution's compliance with laws and regulations relating to safety and soundness designated by the FDIC and the appropriate federal banking agencies;
- A statement identifying the framework used by management to evaluate the effectiveness of the registrant's internal control over financial reporting as required by Exchange Act Rule 13a-15 or 15d-15;
- Management's assessment of the effectiveness of the registrant's internal control over financial reporting as of the end of the registrant's most recent fiscal year, including a statement as to whether or not management has concluded that the registrant's internal control over financial reporting is effective, and of the institution's compliance with the designated safety and soundness laws and regulations during the fiscal year. This discussion must include disclosure of any material weakness in the registrant's internal control over financial reporting identified by management; 118 and
- A statement that the registered public accounting firm that audited the financial statements included in the registrant's annual report has issued an attestation report on management's assessment of the registrant's internal control over financial reporting.
Additionally, the institution or holding company will have to provide the registered public accounting firm's attestation report on management's assessment in its annual report filed under the Exchange Act. 119 For purposes of the report of management and the attestation report, financial reporting must encompass both financial statements prepared in accordance with GAAP and those prepared for regulatory reporting purposes.
I. Registered Investment Companies
Section 404 of the Sarbanes-Oxley Act does not apply to registered investment companies, and we are not extending any of the requirements that would implement section 404 to registered investment companies. 120 Several commenters objected to the proposed requirement that the Section 302 certification include a statement of the officers' responsibility for internal controls. 121 These commenters argued that this requirement would contradict Section 405 of the Sarbanes-Oxley Act and represent a "back-door" application of Section 404, from which registered investment companies are exempt. 122 We disagree. The certification requirements implement Section 302 of the Sarbanes-Oxley Act, from which registered investment companies are not exempt. 123 We are not subjecting registered investment companies to the requirements implementing Section 404 of the Sarbanes-Oxley Act, including the annual and quarterly evaluation requirements with respect to internal control over financial reporting and the requirements for an annual report by management on internal control over financial reporting and an attestation report on management's assessment.
We are adopting the following technical changes to our rules and forms implementing Section 302 of the Sarbanes-Oxley Act for registered investment companies in order to conform to the changes that we are adopting for operating companies. 124
- Paragraph (d) of Investment Company Act Rule 30a-3 . The amendments use the same term "internal control over financial reporting" that we are using in the rules for operating companies and include the same definition of "internal control over financial reporting" that we are adopting in Exchange Act Rules 13a-15(f) and 15d-15(f).
- Paragraph (a) of Investment Company Act Rule 30a-3 . The amendments require every registered management investment company, other than a small business investment company, to maintain internal control over financial reporting. These amendments parallel those that we are adopting for operating companies in Exchange Act Rules 13a-15(a) and 15d-15(a).
- Introductory text and sub-paragraph (b) of paragraph 4 of the certification in Item 10(a)(2) of Form N-CSR . The amendments require the signing officers to state that they are responsible for establishing and maintaining internal control over financial reporting, and that they have designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under their supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles.
- Paragraph (4)(d) of the certification of Item 10(a)(2), and Item 9(b) of Form N-CSR . The amendments require disclosure of any change in the investment company's internal control over financial reporting that occurred during the most recent fiscal half-year that has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting.
- Paragraph (5) of the certification of Item 10(a)(2) of Form N-CSR . The amendments require the signing officers to state that they have disclosed to the investment company's auditors and the audit committee all significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the investment company's ability to record, process, summarize, and report financial information.
We are not, however, adopting proposed amendments that would have required the evaluation by an investment company's management of the effectiveness of its disclosure controls and procedures to be as of the end of the period covered by each report on Form N-CSR, rather than within 90 days prior to the filing date of the report, as our certification rules currently require. 125 Commenters noted that this would require investment company complexes that have funds with staggered fiscal year ends to perform evaluations of their disclosure controls and procedures as many as twelve times per year. They argued that requiring such frequent evaluations would be extremely costly, inefficient, and operationally disruptive, and would not provide any benefits to shareholders. 126 We agree that the costs of requiring investment company complexes to perform evaluations of their disclosure controls and procedures twelve times per year would outweigh the benefits to investors. The certification rules we are adopting will require an investment company complex to perform at most four such evaluations per year. 127
Transition Period for Registered Investment Companies
Registered investment companies must comply with the rule and form amendments applicable to them on and after August 14, 2003, except as follows. Registered investment companies must comply with the amendments to Exchange Act Rules 13a-15(a) and 15d-15(a) and Investment Company Act Rule 30a-3(a) that require them to maintain internal control over financial reporting with respect to fiscal years ending on or after June 15, 2004. In addition, registered investment companies must comply with the portion of the introductory language in paragraph 4 of the certification in Item 10(a)(2) of Form N-CSR that refers to the certifying officers' responsibility for establishing and maintaining internal control over financial reporting, as well as paragraph 4(b) of the certification, beginning with the first annual report filed on Form N-CSR for a fiscal year ending on or after June 15, 2004.
J. Transition Period
We received a number of comments urging us to adopt an extended transition period for compliance with the new disclosure requirements. 128 We have decided to delay the compliance date of the requirement to provide a management report assessing the effectiveness of internal control over financial reporting and an auditor's attestation to, and report on, that assessment beyond that in the Proposing Release so that companies and their auditors will have time to prepare and satisfy the new requirements. These compliance dates do not apply to registered investment companies, which are not required to provide the management report assessing the effectiveness of internal control over financial reporting and the related auditor's attestation. 129 A company that is an "accelerated filer," as defined in Exchange Act Rule 12b-2, as of the end of its first fiscal year ending on or after June 15, 2004, must begin to comply with the management report on internal control over financial reporting disclosure requirements promulgated under Section 404 of the Sarbanes-Oxley Act in its annual report for that fiscal year. We recognize that non-accelerated filers, including smaller companies and foreign private issuers, may have greater difficulty in preparing the management report on internal control over financial reporting. Therefore, these types of companies must begin to comply with the disclosure requirements in annual reports for their first fiscal year ending on or after April 15, 2005. A company must begin to comply with the quarterly evaluation of changes to internal control over financial reporting requirements for its first periodic report due after the first annual report that must include management's report on internal control over financial reporting. We believe that the transition period is appropriate in light of both the substantial time and resources needed to properly implement the rules 130 and the corresponding benefit to investors that will result. In addition, the transition period will provide additional time for the PCAOB to consider relevant factors in determining and implementing any new attestation standard as it finds appropriate, subject to our approval.
Consistent with this extended compliance period for management's internal control report and the related attestation, and for the subsequent evaluation of changes in internal control over financial reporting, the following provisions of the rules adopted today are subject to the extended compliance period:
- The provisions of Items 308(a) and (b) of Regulations S-K and S-B and the comparable provisions of Forms 20-F and 40-F requiring management's internal control report and the related attestation;
- The amendments to Rules 13a-15(a) and 15d-15(a) under the Exchange Act relating to maintenance of internal control over financial reporting; and
- The provisions of Rules 13a-15(c) and (d) and 15d-15(c) and (d) under the Exchange Act requiring evaluations of internal control over financial reporting and changes thereto.
The extended compliance period does not in any way affect the provisions of our other rules and regulations regarding internal controls that are in effect, including, without limitation, Rule 13b-2 under the Exchange Act.
Other rules relating to evaluation and disclosure adopted today are effective on August 14, 2003. These other rules include amendments to Items 308(c) of Regulations S-K and S-B and the comparable provisions of Forms 20-F and 40-F requiring disclosure regarding certain changes in internal control over financial reporting. These amendments modify existing requirements regarding disclosure of changes in internal control over financial reporting, are related to statements made in the Section 302 certifications of principal executive and financial officers, and provide clarifications that are beneficial and whose implementation need not be delayed. These other rules that are effective on August 14, 2003, also include amendments relating to disclosure controls and procedures.
III. DISCUSSION OF AMENDMENTS RELATED TO CERTIFICATIONS
A. Proposed Rules
We proposed to amend our rules and forms to require companies to file the certifications required by Section 302 of the Sarbanes-Oxley Act as an exhibit to the periodic reports to which they relate. Specifically, we proposed to amend the exhibit requirements of Forms 20-F and
40-F and Item 601 of Regulations S-B and S-K to add the Section 302 certifications to the list of required exhibits. In addition, we proposed to amend Exchange Act Rules 13a-14 and 15d-14 to require that Section 906 certifications accompany the periodic reports to which they relate, and to amend Forms 20-F and 40-F and Item 601 of Regulations S-B and S-K to add Section 906 certifications to the list of required exhibits. We also proposed to amend Investment Company Act Rule 30a-2 to require that Section 906 certifications accompany the periodic reports on Form N-CSR to which they relate and Item 10 of Form N-CSR to add the Section 906 certifications as a required exhibit.
We received eight comment letters in response to the proposals. 131 The primary topic addressed by the commenters was whether Section 906 of the Sarbanes-Oxley Act applied to annual reports filed on Form 11-K. Most of the commenters believed that issuers required to file annual reports on Form 11-K should be exempt from the requirement to furnish a Section 906 certification as an exhibit. 132 Two commenters noted that the language of Section 906 that requires certification of the chief executive officer and chief financial officer (or equivalent thereof) is inconsistent with the actual administration of employee benefit plans because such plans do not have individuals acting as chief executive officer and chief executive officer. 133 Those commenters noted that employee benefit plans are typically administered through one or more committees that are appointed as the plan's named fiduciaries to administer the plan and oversee investments. 134 In addition, some commenters believed that we should provide an exemption for Form 11-K because employee benefit plans are already subject to extensive regulation under the Employee Retirement Income Security Act of 1974 ("ERISA"), 135 which includes a requirement for the plan administrator to certify, under penalties of perjury and other criminal and administrative penalties, the accuracy of the plan's disclosures under ERISA. 136
Commenters also addressed other topics related to Section 906. One commenter requested that the Commission allow Section 906 certifications to remain confidential. 137 That commenter expressed concern that a plaintiff could use a Section 906 certification to create a basis for liability that did not otherwise exist. 138 One commenter objected to the proposal to deem Section 906 certifications as "furnished," rather than as "filed." 139 After considering all of the comments, we are adopting the proposals substantially as proposed.
On April 11, 2003, U.S. Senator Joseph Biden introduced a statement into the Congressional Record that discusses Section 906. 140 The statement asserts that Section 906 "is intended to apply to any financial statement filed by a publicly-traded company, upon which the investing public will rely to gauge the financial health of the company," which includes financial statements included in current reports on Forms 6-K and 8-K and annual reports on Form 11-K. 141 The language added to Title 18 by Section 906 refers to "periodic reports containing financial statements," and our proposals to require companies to furnish Section 906 certifications as exhibits applied to periodic (annual, semi-annual and quarterly) reports but did not address current reports on Forms 6-K and 8-K. 142 One commenter addressed the statement in the Congressional Record, indicating that the suggested requirements would create substantial practical burdens for companies to provide Section 906 certifications in current reports filed on Forms 6-K or 8-K. 143 We are also concerned that extending Section 906 certifications to Forms 6-K or 8-K could potentially chill the disclosure of information by companies. As noted above, four commenters argued that Section 906 should not apply to Form 11-K. 144 In light of these developments, we are considering, in consultation with the Department of Justice, the application of Section 906 to current reports on Forms 6-K and 8-K and annual reports on Form 11-K and the possibility of taking additional action.
B. Final Rules
We are amending the exhibit requirements of Forms 20-F and 40-F and Item 601 of Regulations S-B and S-K to add the Section 302 certifications to the list of required exhibits. 145 In the final rules, the specific form and content of the required certifications is set forth in the applicable exhibit filing requirement. 146 To coordinate the rules requiring an evaluation of "disclosure controls and procedures" and "internal control over financial reporting," we are moving the definition of the term "disclosure controls and procedures" from Exchange Act Rules 13a-14(c) and 15d-14(c) and Investment Company Act Rule 30a-2(c) to new Exchange Act Rules 13a-15(c) and 15d-15(c) and Investment Company Act Rule 30a-3(c), respectively.
We are amending Exchange Act Rules 13a-14 and 15d-14 and Investment Company Act Rule 30a-2 to require the Section 906 certifications to accompany periodic reports containing financial statements as exhibits. We also are amending the exhibit requirements in Forms 20-F, 40-F and Item 601 of Regulations S-B and S-K to add the Section 906 certifications to the list of required exhibits to be included in reports filed with the Commission. In addition, we are amending Item 10 of Form N-CSR to add the Section 906 certifications as a required exhibit. Because the Section 906 certification requirement applies to periodic reports containing financial statements that are filed by an issuer pursuant to Section 13(a) or 15(d) of the Exchange Act, the exhibit requirement will only apply to reports on Form N-CSR filed under these sections and not to reports on Form N-CSR that are filed under the Investment Company Act only. 147 A failure to furnish the Section 906 certifications would cause the periodic report to which they relate to be incomplete, thereby violating Section 13(a) of the Exchange Act. 148 In addition, referencing the Section 906 certifications in Exchange Act Rules 13a-14 and 15d-14 and Investment Company Act Rule 30a-2 subjects these certifications to the signature requirements of Rule 302 of Regulation S-T. 149
Section 906 requires that the certifications "accompany" the periodic report to which they relate. This is in contrast to Section 302, which requires the certifications to be included "in" the periodic report. In recognition of this difference, we are permitting companies to "furnish," rather than "file," the Section 906 certifications with the Commission. 150 Thus, the certifications would not be subject to liability under Section 18 of the Exchange Act. 151 Moreover, the certifications would not be subject to automatic incorporation by reference into a company's Securities Act registration statements, which are subject to liability under Section 11 of the Securities Act, 152 unless the issuer takes steps to include the certifications in a registration statement.
Although Section 906 does not explicitly require the certifications to be made public, we believe that it is appropriate to require certifications that "accompany" a publicly filed periodic report to be provided publicly in this manner. We believe that Congress intended for Section 906 certifications to be publicly provided. Civil liability already exists under our signature requirements and the Section 302 certifications. In addition, any Section 906 certification submitted to the Commission as correspondence is subject to the Freedom of Information Act. 153 Finally, the requirement to furnish Section 906 certifications as exhibits serves a number of important functions. First, the exhibit requirement enhances compliance by allowing the Commission, the Department of Justice and the public to monitor the certifications effectively. Second, by subjecting the Section 906 certifications to the signature requirements of Regulation S-T, companies are required to retain a manually signed signature page or other authenticating document for a five-year period. This requirement helps to preserve evidential matter in the event of prosecution.
There are important distinctions to be made between Sections 302 and 906 of the Sarbanes-Oxley Act. Unlike the Section 302 certifications, the Section 906 certifications are required only in periodic reports that contain financial statements. Therefore, amendments to periodic reports that do not contain financial statements would not require a new Section 906 certification, but would require a new Section 302 certification to be filed with the amendment. 154 In addition, unlike the Section 302 certifications, the Section 906 certifications may take the form of a single statement signed by a company's chief executive and financial officers. 155
C. Effect on Interim Guidance Regarding Filing Procedures
We provided interim guidance regarding voluntary filing procedures for Section 906 certifications. 156 That guidance encouraged issuers to submit their Section 906 certifications as exhibits to the periodic reports to which they relate. 157 For issuers that are not investment companies, that interim voluntary guidance shall remain in effect until the rules become effective. In the event that the EDGAR system is not updated by the effective date, companies should submit the required certifications as Exhibit 99. 158 For registered investment companies, the interim guidance shall remain in effect until the rules become effective. 159
D. Form of Section 302 Certifications
We proposed several amendments to the form of certifications to be provided pursuant to Section 302 of the Sarbanes-Oxley Act. In particular, we proposed the following:
- The addition of a statement that principal executive and financial officers are responsible for designing internal controls and procedures for financial reporting or having such controls and procedures designed under their supervision;
- The clarification that disclosure controls and procedures may be designed under the supervision of principal executive and financial officers; and
- The revision of the statement as to the effectiveness of disclosure controls and procedures and internal controls and procedures for financial reporting would be as of the end of the period.
We have adopted the proposals referred to above substantially as proposed. In addition, we have made the following changes:
- We have incorporated the term "internal control over financial reporting" into the certification;
- We have amended the provision of the certification relating to changes in internal control over financial reporting, consistent with the final rules discussed above regarding evaluation and disclosure, so that it refers to changes that have materially affected or are reasonably likely to materially affect internal control over financial reporting;
- We have clarified that the statement as effectiveness of disclosure controls and procedures be as of the end of the period, but that the date of the evaluation is not specified; and
- We have made minor changes in the organization of the certification.
E. Transition Period
The final rules regarding filing of certifications under Sections 302 and 906, for companies other than registered investment companies, will be effective on August 14, 2003. The compliance dates applicable to registered investment companies are described in Section II. I., above.
We believe that changes in the form of Section 302 certification described above are beneficial to both registrants and investors because they clarify the provisions of the certification. With one exception, discussed below, the changes are also not related to our new requirements regarding management's internal control report. With that one exception, appropriateness of the modified certification is thus not affected by the extended compliance period we are providing in connection with management's internal control report and the related attestation. Our rules adopted today also therefore provide that the form of Section 302 certification will be modified, with that one exception, in accordance with these rules effective on August 14, 2003.
We are applying the extended compliance period to the portion of the introductory language in paragraph 4 of the Section 302 certification that refers to the certifying officers' responsibility for establishing and maintaining internal control over financial reporting for the company, as well as paragraph 4(b), which must be provided in the first annual report required to contain management's internal control report and thereafter. As noted above, this extended compliance period does not in any way affect the provisions of our other rules and regulations regarding internal controls that are in effect.
IV. PAPERWORK REDUCTION ACT
A. Background
Certain provisions of our final amendments contain "collection of information" requirements within the meaning of the Paperwork Reduction Act of 1995 ("PRA"). 160 We published a notice requesting comment on the collection of information requirements in the proposing release for the rule amendments, and we submitted these requirements to the Office of Management and Budget ("OMB") for review in accordance with the PRA. 161 The titles for the collection of information are:
(1) "Form 10-Q" (OMB Control No. 3235-0070);
(2) "Form 10-QSB" (OMB Control No. 3235-0416);
(3) "Form 10-K" (OMB Control No. 3235-0063);
(4) "Form 10-KSB" (OMB Control No. 3235-0420);
(5) "Form 20-F" (OMB Control No. 3235-0288);
(6) "Form 40-F" (OMB Control No. 3235-0381);
(7) "Regulation S-X" (OMB Control No. 3235-0009);
(8) "Regulation S-K" (OMB Control No. 3235-0071);
(9) "Regulation S-B" (OMB Control No. 3235-0417); and
(10) "Form N-CSR" (OMB Control No. 3235-0570).
The forms are periodic reports adopted under the Exchange Act and the Investment Company Act. The regulations set forth the disclosure requirements for periodic reports, registration statements and proxy and information statements filed by companies to ensure that investors are informed. The hours and costs associated with preparing, filing and sending these forms constitute reporting and cost burdens imposed by each collection of information. An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number. Compliance with the requirements is mandatory. Under our rules for the retention of manual signatures, 162 companies must retain, for a period of five years, an original signature page or other document authenticating, acknowledging or otherwise adopting the certifying officers' signatures that appear in their electronically filed periodic reports. Responses to the information collections are not kept confidential.
B. Summary of the Final Rules
The final rules require the annual report of every company that files periodic reports under Section 13(a) or 15(d) of the Exchange Act, other than reports by registered investment companies, to contain a report of management that includes:
- A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company;
- A statement identifying the framework used by management to evaluate the effectiveness of the company's internal control over financial reporting;
- Management's assessment of the effectiveness of the company's internal control over financial reporting, as of the end of the most recent fiscal year; and
- A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management's evaluation of the company's internal control over financial reporting.
We are adding these requirements pursuant to the legislative mandate in Section 404 of the Sarbanes-Oxley Act. Under our final rules, a company also will be required to evaluate and disclose any change in its internal control over financial reporting that occurred during the fiscal quarter that has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting.
We are also adopting amendments to require companies to file the certifications mandated by Sections 302 and 906 of the Sarbanes-Oxley Act as exhibits to their annual, semi-annual and quarterly reports. These amendments will enhance the ability of investors, the Commission staff, the Department of Justice and other interested parties to easily and efficiently access the certifications through our Electronic Data Gathering, Analysis and Retrieval ("EDGAR") system and facilitate better monitoring of a company's compliance with the certification requirements.
C. Summary of Comment Letters and Revisions to Proposals
We requested comment on the PRA analysis contained in the proposing releases addressing Section 404 and Sections 302 and 906 of the Sarbanes-Oxley Act. 163 We received no comments on our PRA estimates for the certification requirements. With respect to our PRA estimates for the rules implementing Section 404 of the Sarbanes-Oxley Act, eight commenters thought that our PRA estimates significantly understated the actual time and costs that companies would have to expend evaluating and reporting on their internal control over financial reporting. 164 However, few of these commenters provided actual alternative cost estimates, and none provided estimates that could be applied generally to all types and sizes of companies. One commenter believed that, based on its experience, we understated the burden estimate by at least a factor of 100. 165 In response to these commenters, and based on follow-up conversations with several of the commenters who expressed a view on our burden and cost estimates, we have revised our estimates as discussed more fully in Section IV.D below.
We have made a substantive modification to the proposed rules in response to the cost concerns expressed by commenters. Specifically, the final rules require companies to undertake a quarterly evaluation only of any change occurring during the fiscal quarter that has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting. This change should substantially mitigate some of the costs and burdens associated with the proposed requirements.
We have made additional substantive changes to the proposed rule as well. First, the final rules require management to evaluate the company's internal control over financial reporting using a suitable framework, such as the COSO Framework. Second, the final rules expand the list of information that must be included in the management report and specify that management cannot conclude that a company's internal control over financial reporting is effective if there are one or more material weaknesses in such control. Under the final rules, management must identify the framework used to evaluate the company's internal control over financial reporting and disclose any material weaknesses in the company's internal control over financial reporting discovered through the evaluation. We do not believe that these changes significantly alter the burdens imposed on companies resulting from the required assessment of internal control over financial reporting.
D. Revisions to PRA Reporting and Cost Burden Estimates
As discussed above, in consideration of commenters' remarks, we are revising our PRA burden and cost estimates for the rules pertaining to Section 404 that we originally submitted to the OMB in connection with the proposed rules.
We derived our new burden hour estimates for the annual report forms by estimating the total amount of time that it will take a company's management to conduct the annual evaluation of its internal control over financial reporting and to prepare the required management report. 166 Our annual burden estimate is based on several assumptions. First, we assumed that the annual number of responses for each form would be consistent with the number of filings that we received in fiscal year 2002. 167 Second, we assumed that there is a direct correlation between the extent of the burden and the size of the reporting company, with the burden increasing commensurate with the size of the company. We believe that there will be a marked disparity of burdens and costs resulting from the new internal control requirements between the largest and smallest reporting companies. Our estimates reflect an average burden for all sizes of companies. Third, we assumed that the first-year burden would be greater than that for subsequent years, as a portion of the costs will reflect one-time expenditures associated with complying with the rule, such as compiling documentation, implementing new processes, and training staff. We also adjusted the second and third year estimates to account for the fact that management should become more efficient at conducting its internal control assessment and preparing the disclosure after the first year as the process becomes more routine. 168 Under these assumptions, we estimate that the average incremental burden for an annual filing will be 383 hours per company and the portion of that burden that is reflected as the cost associated with outside professionals is approximately $34,300 per company. For large corporations, we expect that this burden will be substantially higher. Indeed, we received estimates in the thousands of hours for some large and complex companies. Conversely, we expect small companies to find their burden to be less than this average. We also believe that many companies will experience costs well in excess of this average in the first year of compliance with the final rules. We believe that costs will decrease in subsequent years. This burden will also vary among companies based on the complexity of their organization and the nature of their current internal control procedures. We therefore calculated our estimates by averaging the estimated burdens over a three-year period.
We derived our burden estimates for the quarterly report forms by estimating the total amount of time that it will take a company's management to conduct the quarterly evaluation of material changes to the company's internal control over financial reporting and for the company to prepare the required disclosure about such changes. We believe that these quarterly evaluations will impose little additional burden, as much of the structure to conduct these evaluations will be established in connection with the annual evaluations. We estimate that the quarterly reporting will impose an additional burden of five hours per company in connection with each quarterly report. Accordingly, we did not revise our original burden hour estimates for the quarterly report forms.
We estimate the total annual incremental burden (for annual and quarterly reports) associated with the new internal control evaluation and disclosure requirements for all companies to be approximately 3,792,888 hours of company personnel time and a cost of $481,013,550 for the services of outside professionals. 169
Table 1 below presents these burdens and costs for each form affected by the final rules implementing Section 404 of Sarbanes-Oxley. We calculated the burden by multiplying the estimated number of affected responses by the estimated average number of hours that management will spend conducting its assessment of the company's internal control over financial reporting and preparing the related disclosure. For Exchange Act annual reports, we estimate that 75% of the burden of preparation is carried by the company internally and that 25% of the burden of preparation is carried by outside professionals retained by the company at an average cost of $300 per hour. 170 The portion of the burden carried by outside professionals is reflected as a cost, while the portion of the burden carried by the company internally is reflected in hours. There is no change to the estimated burden of the collections of information entitled "Regulation S-K," "Regulation S-B" and "Regulation S-X" because the burdens that these regulations impose are reflected in our revised estimates for the forms.
Table 1 : Incremental Paperwork Burden for the rules implementing Section 404
We do not believe that the amendments with respect to the Section 302 certifications result in a need to alter the burden estimates that we previously submitted to OMB because they merely relocate the certifications from the text of quarterly and annual reports filed or submitted under Section 13(a) or 15(d) of the Exchange Act to the "Exhibits" section of the reports. We are, however, revising the burden estimates for quarterly and annual reports and for Form N-CSR based on the amendment with respect to the Section 906 certification. 171 The PRA estimates for these amendments do not reflect a cost because we believe that the entire burden will be borne by company personnel. With respect to semi-annual reports on Form N-CSR, because the financial statements of registered management investment companies are not as complex as those of operating companies, we estimate that the amendments relating to the Section 906 certifications would result in an increase of one burden hour per portfolio. 172 We estimate that there are approximately 3,700 registered management investment companies that are required to file reports on Form N-CSR, containing 9,850 portfolios. The following table illustrates the incremental PRA estimates for the new Section 906 certification requirements:
Table 2: Incremental Paperwork Burden for Certification Requirements
Form | Annual Responses | Hours/Form | Total Hours Added |
20-F | 1,194 | 2 | 2,388 |
40-F | 134 | 2 | 268 |
10-K | 8,484 | 2 | 16,968 |
10-KSB | 3,820 | 2 | 7,640 |
10-Q | 23,743 | 2 | 47,486 |
10-QSB | 11,299 | 2 | 22,598 |
N-CSR | 7,400 | 2.66 173 | 19,700 |
Total | 117,048 |
V. COST-BENEFIT ANALYSIS
The amendments implementing Section 404 of the Sarbanes-Oxley Act are congressionally mandated. We recognize that implementation of the Sarbanes-Oxley Act will likely result in costs and benefits to the economy. We are sensitive to the costs and benefits imposed by our rules, and we have considered costs and benefits of our amendments.
A. Benefits
One of the main goals of the Sarbanes-Oxley Act is to enhance the quality of reporting and increase investor confidence in the financial markets. Recent market events have evidenced a need to provide investors with a clearer understanding of the processes that surround the preparation and presentation of financial information. These amendments are intended to accomplish the Act's goals by improving public company disclosure to investors about the extent of management's responsibility for the company's financial statements and internal control over financial reporting and the means by which management discharges its responsibility. The establishment and maintenance of internal control over financial reporting has always been an important responsibility of management. An effective system of internal control over financial reporting is necessary to produce reliable financial statements and other financial information used by investors. By requiring a report of management stating management's responsibility for the company's financial statements and internal control over financial reporting and management's assessment regarding the effectiveness of such control, investors will be able to better evaluate management's performance of its stewardship responsibilities and the reliability of a company's financial statements and other unaudited financial information.
The required annual evaluation of internal control over financial reporting will encourage companies to devote adequate resources and attention to the maintenance of such control. Additionally, the required evaluation should help to identify potential weaknesses and deficiencies in advance of a system breakdown, thereby facilitating the continuous, orderly and timely flow of information within the company and, ultimately, to investors and the marketplace. Improved disclosure may help companies detect fraudulent financial reporting earlier and perhaps thereby deter financial fraud or minimize its adverse effects. All of these benefits will increase market efficiency by improving investor confidence in the reliability of a company's financial disclosure and system of internal control over financial reporting. These benefits are not readily quantifiable. Commenters overwhelmingly supported the benefits of the amendments.
The amendments related to Section 302 of the Sarbanes-Oxley Act relocate the certifications required by Exchange Act Rules 13a-14 and 15d-14 from the text of quarterly and annual reports filed or submitted under Section 13(a) or 15(d) of the Exchange Act to the "Exhibits" section of these reports. The amendments related to Section 906 of the Sarbanes-Oxley Act require that the certifications required by Section 1350 of Title 18 of the United States Code, added by Section 906 of the Act, accompany the periodic reports to which they relate as exhibits. These changes will enhance the ability of investors and the Commission staff to verify that the certifications have, in fact, been submitted with the Exchange Act reports to which they relate and to review the contents of the certifications to ensure compliance with the applicable requirements. In addition, the changes will enable the Department of Justice, which has responsibility for enforcing Section 906, to review effectively the form and content of the certifications required by that section.
B. Costs
The final rules related to Section 404 of the Sarbanes-Oxley Act require companies, other than registered investment companies, to include in their annual reports a report of management on the company's internal control over financial reporting. The management report on internal control over financial reporting must include: a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting; a statement identifying the framework used to evaluate the effectiveness of the company's internal control over financial reporting; management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year; and a statement that the registered public accounting firm that audited the company's financial statements included in the annual report has issued an attestation report on management's evaluation of the company's internal control over financial reporting. The final rules will increase costs for all reporting companies. These costs are mitigated somewhat because companies have an existing obligation to maintain an adequate system of internal accounting control under the FCPA. Moreover, one commenter noted that some companies already voluntarily include management reports on their internal controls in their annual reports. The preparation of the management report on internal control over financial reporting will likely involve multiple parties, including senior management, internal auditors, in-house counsel, outside counsel and audit committee members.
Many commenters believed that our proposal to require quarterly evaluations of a company's internal control over financial reporting would significantly increase the costs of preparing periodic reports. Several commenters also were concerned that the proposals would result in increased audit fees. We have limited data on which to base cost estimates of the final rules.
Using our PRA burden estimates, we estimate the aggregate annual costs of implementing Section 404(a) of the Sarbanes-Oxley Act to be around $1.24 billion (or $91,000 per company). 174 We recognize the magnitude of the cost burdens and we are making several accommodations to address commenters' concerns and to ease compliance, including:
- Requiring quarterly disclosure only of any change that has materially affected, or is reasonably likely to materially affect, a company's internal control over financial reporting; and
- An extended transition period for the new internal control reporting requirements.
We originally proposed to require a company to include an internal control report in its annual report for fiscal years ending on or after September 15, 2003. Under the final rules, a company that is an "accelerated filer" under the definition in Exchange Act Rule 12b-2 must begin to comply with the internal control report requirement in its annual report for its first fiscal year ending on or after June 15, 2004. All other companies must begin to comply with the requirement in their annual reports for their first fiscal year ending on or after April 15, 2005.
A longer transition period will help to alleviate the immediate impact of any costs and burdens imposed on companies. A longer transition period may even help to reduce costs as companies will have additional time to develop best practices, long-term processes and efficiencies in preparing management reports. Also, a longer transition period will expand the period of availability of outside professionals that some companies may wish to retain as they prepare to comply with the new requirements.
The PRA burden estimate, however, excludes several costs attributable to Section 404. The estimate does not include the costs associated with the auditor's attestation report, which many commenters have suggested might be substantial. It also excludes estimates of likely "indirect" costs of the final rules. For instance, the final rules increase the cost of being a public company; therefore the final rules may discourage some companies from seeking capital from the public markets. Moreover, the final rules may also discourage non-U.S. firms from seeking capital in the United States.
The incremental costs of the amendments related to Section 302 of the Sarbanes-Oxley Act are minimal. Since companies must already include the certifications required by Exchange Act Rules 13a-14 and 15d-14 in their quarterly and annual reports, there should be no incremental cost to relocating the certifications from the text of the reports to the "Exhibits" section of these reports. Requiring the Section 906 certifications to be included as an exhibit to the periodic reports to which they relate will lead to some additional costs for companies that currently are submitting the certifications to the Commission in some other manner. While these costs are difficult to quantify, we estimate that the annual paperwork burden of the amendments will be approximately $23.4 million. 175
One commenter has expressed concern that companies may assume greater legal risk by making their Section 906 certifications publicly available. 176 To the extent that companies may assume greater legal risk by including the Section 906 certifications as part of their periodic reports filed pursuant to the Exchange Act where these reports are incorporated by reference into Securities Act registration statements, we address this risk by requiring companies to "furnish," rather than "file," the certifications with the Commission for purposes of Section 18 of the Exchange Act or incorporation by reference into other filings. Thus, the amendments should mitigate this potential indirect cost of compliance. We believe that it is appropriate to require the certifications that accompany a periodic report to be publicly available. We believe that Congress intended for Section 906 certifications to be publicly available. Civil liability already exists by virtue of the pre-existing signature requirements and Section 302 certifications. In addition, any Section 906 certification submitted to the Commission as correspondence is subject to the Freedom of Information Act. 177
VI. EFFECT ON EFFICIENCY, COMPETITION AND CAPITAL FORMATION
Section 23(a)(2) of the Exchange Act 178 requires us to consider the anti-competitive effects of any rules that we adopt under the Exchange Act. In addition, Section 23(a)(2) prohibits us from adopting any rule that would impose a burden on competition not necessary or appropriate in furtherance of the purposes of the Exchange Act. The amendments related to Section 404 of the Sarbanes-Oxley Act represent the implementation of a congressional mandate. The final rules require management reports that improve investors' understanding of management's responsibility for the preparation of reliable financial information and maintaining adequate internal control over financial reporting. We anticipate that these requirements will enhance the proper functioning of the capital markets by increasing the quality and accountability of financial reporting and restoring investor confidence.
Section 2(b) of the Securities Act, 179 Section 3(f) of the Exchange Act 180 and Section 2(c) of the Investment Company Act 181 require us, when engaging in rulemaking to consider or determine whether an action is necessary or appropriate in the public interest, and consider whether the action will promote efficiency, competition, and capital formation. The amendments related to Section 404 are designed to enhance the quality and accountability of the financial reporting process and may help increase investor confidence, which implies increased efficiency and competitiveness of the U.S. capital markets. Increased market efficiency and investor confidence also may encourage more efficient capital formation. We requested comments on the effect of these amendments on efficiency, competition and capital formation analyses in the proposing release addressing Section 404. We received no comments in response to these requests.
The amendments related to Section 302 of the Sarbanes-Oxley Act would relocate the certifications required by Exchange Act Rules 13a-14 and 15d-14 from the text of quarterly and annual reports filed or submitted under Section 13(a) or 15(d) of the Exchange Act to the "Exhibits" section of these reports. This relocation will enhance the ability of investors and the Commission staff to verify that the certifications have, in fact, been submitted with the Exchange Act reports to which they relate and to review the contents of the certifications to ensure compliance with the applicable requirements. The amendments related to Section 906 of the Sarbanes-Oxley Act also will streamline compliance with Section 1350 of Title 18 of the United States Code, added by Section 906 of the Act, and will enable investors, the Commission staff and the Department of Justice, which has responsibility for enforcing Section 1350, to verify submission and efficiently review the form and content of the certifications required by that provision.
We do not believe that the amendments related to certifications will impose any burden on competition, nor are we aware of any impact on capital formation that would result from the amendments. Depending on how an issuer's principal executive and principal financial officers presently satisfy the Section 906 certification requirements, issuers may incur some additional costs in submitting these certifications as an exhibit to their periodic reports. While these costs are difficult to quantify, we believe that they would be nominal. We requested comment on whether the amendments would affect competition, efficiency and capital formation. We received no comments in response to this request.
VII. FINAL REGULATORY FLEXIBILITY ANALYSIS
This Final Regulatory Flexibility Analysis ("FRFA") has been prepared in accordance with the Regulatory Flexibility Act. 182 This FRFA relates to new rules and amendments that require Exchange Act companies, other than registered investment companies, to include in their annual reports a report of management on the company's internal control over financial reporting. The management report on internal control over financial reporting must include: a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting; a statement identifying the framework used to evaluate the effectiveness of the company's internal control over financial reporting; management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year; and a statement that the registered public accounting firm that audited the company's financial statements included in the annual report has issued an attestation report on management's evaluation of the company's internal control over financial reporting. This FRFA also addresses new rules and amendments that require companies to file the certifications mandated by Sections 302 and 906 of the Sarbanes-Oxley Act as exhibits to their periodic reports. An Initial Regulatory Flexibility Analysis ("IRFA") was prepared in accordance with the Regulatory Flexibility Act in conjunction with each of the releases proposing these rules. 183 The proposing releases solicited comments on these analyses.
A. Need for the Amendments
We are adopting these disclosure requirements to comply with the mandate of, and to fulfill the purposes underlying the provisions of, the Sarbanes-Oxley Act of 2002. The new evaluation and disclosure requirements regarding a company's internal control over financial reporting are intended to enhance the quality of reporting and increase investor confidence in the fairness and integrity of the securities markets by making it clear that a company's management is responsible for maintaining and annually assessing such controls. The amendments related to Sections 302 and 906 of the Sarbanes-Oxley Act will enhance the ability of investors and the Commission staff to verify that the certifications have, in fact, been submitted with the Exchange Act reports to which they relate and to review the contents of the certifications to ensure compliance with the applicable requirements. The amendments also will streamline compliance with Section 1350 of Title 18 of the United States Code and will enable investors, the Commission staff and the Department of Justice, which has responsibility for enforcing Section 1350, to verify a company's submission of the Section 906 certification and efficiently review the form and content of the certifications.
B. Significant Issues Raised by Public Comment
In the Proposing Releases, we requested comment on any aspect of the IRFA, including the number of small entities that would be affected by the proposals, and both quantitative and qualitative nature of the impact. Several commenters expressed concern that small business issuers, including small entities, would be particularly disadvantaged by our proposal to require quarterly evaluations of internal control over financial reporting. We received no commentary on the impact on small entities of the new certification requirements.
C. Small Entities Subject to the Amendments
The new disclosure items affect issuers that are small entities. Exchange Act Rule 0-10(a) 184 defines an issuer, other than an investment company, to be a "small business" or "small organization" if it had total assets of $5 million or less on the last day of its most recent fiscal year. We estimate that there are approximately 2,500 issuers, other than investment companies, that may be considered small entities. For purposes of the Regulatory Flexibility Act, an investment company is a "small entity" if it, together with other investment companies in the same group of related investment companies, has net assets of $50 million or less as of the end of its most recent fiscal year. 185 We estimate that there are approximately 190 registered management investment companies that, together with other investment companies in the same group of related investment companies, have net assets of $50 million or less as of the end of the most recent fiscal year. 186
The new disclosure items with respect to management's report on internal control over financial reporting and the registered public accounting firm's attestation report apply to any small entity, other than a registered investment company, that is subject to Exchange Act reporting requirements. The new certification requirements apply to any small entity that is subject to Exchange Act reporting requirements.
D. Reporting, Recordkeeping and other Compliance Requirements
The amendments require a company's management to disclose information regarding the company's internal control over financial reporting, including management's assessment of the effectiveness of the company's internal control over financial reporting. All small entities that are subject to the reporting requirements of Section 13(a) or 15(d) of the Exchange Act, other than registered investment companies, are subject to these evaluation and disclosure requirements. Because reporting companies already file the forms being amended, no additional professional skills beyond those currently possessed by these filers necessarily are required to prepare the new disclosure, although some companies may choose to engage outside professionals to assist them in complying with the new requirements. We expect that these new disclosure items will increase compliance costs incurred by small entities. We have calculated for purposes of the Paperwork Reduction Act that each company would be subject to an added annual reporting burden of approximately 398 hours and the portion of that burden that is reflected as the cost associated with outside professionals is approximately $35,286. 187 We believe, however, that the annual average burden and costs for small issuers are much lower. 188 For the new certification requirements, we estimate that a company, including a small entity, will be subject to an additional reporting burden of eight hours per year. 189 These burden estimates reflect only the burden and cost of the required collection of information.
E. Agency Action to Minimize Effect on Small Entities
The Regulatory Flexibility Act directs us to consider alternatives that would accomplish our stated objectives, while minimizing any significant adverse impact on small entities. In connection with the amendments, we considered the following alternatives:
- Establishing different compliance or reporting requirements or timetables that take into account the resources available to small entities;
- Clarifying, consolidating or simplifying compliance and reporting requirements under the rules for small entities;
- Using performance rather than design standards; and
- Exempting small entities from all or part of the requirements.
Several of these alternatives were considered but rejected, while other alternatives were taken into account in the final rules. We believe the final rules fulfill the intent of the Sarbanes-Oxley Act of enhancing the quality of reporting and increasing investor confidence in the fairness and integrity of the securities markets.
Sections 302, 404 and 906 of the Sarbanes-Oxley Act make no distinction based on a company's size. We think that improvements in the financial reporting process for all companies are important for promoting investor confidence in our markets. For example, a 1999 report commissioned by the organizations that sponsored the Treadway Commission found that the incidence of financial fraud was greater in small companies. 190 However, we are sensitive to the costs and burdens that small entities will face. The final rules require only a quarterly evaluation of material changes to a company's internal control over financial reporting, unlike the proposed rules that would have required management to evaluate the effectiveness of a company's internal control over financial reporting on a quarterly basis. In response to comments, including comments submitted by the Small Business Administration, we have decided not to adopt this proposal.
We believe that a blanket exemption for small entities from coverage of the requirements is not appropriate and would be inconsistent with the policies underlying the Sarbanes-Oxley Act. However, we have provided an extended transition period for companies that do not meet the definition in Exchange Act Rule 12b-2 191 of an "accelerated filer" for the rules implementing Section 404 of the Sarbanes-Oxley Act. Under the adopted rules, non-accelerated filers, including small business issuers, need not prepare the management report on internal control over financial reporting until they file their annual reports for fiscal years ending on or after April 15, 2005. This deferral provides non-accelerated filers more time to develop structured and formal systems of internal control over financial reporting.
We believe that the new disclosure and certification requirements are clear and straightforward. The amendments require only brief disclosure. An effective system of internal control over financial reporting has always been necessary to produce reliable financial statements and other financial information. Our amendments do not specify any particular controls that a company's internal control over financial reporting should include. Each company is afforded the flexibility to design its internal control over financial reporting according to its own set of circumstances. This flexibility should enable companies to keep costs of compliance as low as possible. Therefore, it does not seem necessary to develop separate requirements for small entities.
The final rules impose both design and performance standards regarding disclosure of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company and management's assessment of the effectiveness of such controls. The rules do, however, afford a company the flexibility to design its internal control over financial reporting to fit its particular circumstances. We believe that it would be inconsistent with the purposes of the Sarbanes-Oxley Act to specify different requirements for small entities.
VIII. STATUTORY AUTHORITY AND TEXT OF RULE AMENDMENTS
The amendments described in this release are being adopted under the authority set forth in Sections 5, 6, 7, 10, 17 and 19 of the Securities Act, as amended, Sections 12, 13, 15, 23 and 36 of the Exchange Act, Sections 8, 30, 31 and 38 of the Investment Company Act, as amended and Sections 3(a), 302, 404, 405 and 906 of the Sarbanes-Oxley Act.
List of Subjects
17 CFR Part 210
Accountants, Accounting, Reporting and recordkeeping requirements, Securities.
17 CFR Part 228
Reporting and recordkeeping requirements, Securities, Small businesses.
17 CFR Parts 229, 240 and 249
Reporting and recordkeeping requirements, Securities.
17 CFR Parts 270 and 274
Investment companies, Reporting and recordkeeping requirements, Securities.
TEXT OF AMENDMENTS
For the reasons set out in the preamble, the Commission amends title 17, chapter II, of the Code of Federal Regulations as follows:
PART 210 - FORM AND CONTENT OF AND REQUIREMENTS FOR FINANCIAL STATEMENTS, SECURITIES ACT OF 1933, SECURITIES EXCHANGE ACT OF 1934, PUBLIC UTILITY HOLDING COMPANY ACT OF 1935, INVESTMENT COMPANY ACT OF 1940, INVESTMENT ADVISERS ACT OF 1940, AND ENERGY POLICY AND CONSERVATION ACT OF 1975
1. The authority citation for Part 210 is revised to read as follows:
Authority : 15 U.S.C. 77f, 77g, 77h, 77j, 77s, 77z-2, 77z-3, 77aa(25), 77aa(26), 78c, 78j-1, 78 l , 78m, 78n, 78o(d), 78q, 78u-5, 78w(a), 78 ll , 78mm, 79e(b), 79j(a), 79n, 79t(a), 80a-8, 80a-20, 80a-29, 80a-30, 80a-31, 80a-37(a), 80b-3, 80b-11, 7202 and 7262, unless otherwise noted.
2. Section 210.1-02 is amended by:
a. Removing the authority citation following §210.1-02;
b. Redesignating paragraph (a) as paragraph (a)(1); and
c. Adding paragraph (a)(2).
The revisions read as follows:
§210.1-02 Definition of terms used in Regulation S-X (17 CFR part 210).
* * * * *
(a)(1) * * *
(2) Attestation report on management's assessment of internal control over financial reporting . The term attestation report on management's assessment of internal control over financial reporting means a report in which a registered public accounting firm expresses an opinion, or states that an opinion cannot be expressed, concerning management's assessment of the effectiveness of the registrant's internal control over financial reporting (as defined in §240.13a-15(f) or 240.15d-15(f) of this chapter) in accordance with standards on attestation engagements. When an overall opinion cannot be expressed, the registered public accounting firm must state why it is unable to express such an opinion.
* * * * *
3. Amend §210.2-02 by:
a. Revising the section heading;
b. Revising the headings of paragraphs (a), (b), (c) and (d); and
c. Adding paragraph (f).
The addition and revisions read as follows.
§210.2-02 Accountants' reports and attestation reports on management's assessment of internal control over financial reporting.
(a) Technical requirements for accountants' reports . * * *
(b) Representations as to the audit included in accountants' reports . * * *
(c) Opinions to be expressed in accountants' reports . * * *
(d) Exceptions identified in accountants' reports . * * *
* * * * *
(f) Attestation report on management's assessment of internal control over financial reporting . Every registered public accounting firm that issues or prepares an accountant's report for a registrant, other than an investment company registered under section 8 of the Investment Company Act of 1940 (15 U.S.C. 80a-8), that is included in an annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78a et seq .) containing an assessment by management of the effectiveness of the registrant's internal control over financial reporting must attest to, and report on, such assessment. The attestation report on management's assessment of internal control over financial reporting shall be dated, signed manually, identify the period covered by the report and clearly state the opinion of the accountant as to whether management's assessment of the effectiveness of the registrant's internal control over financial reporting is fairly stated in all material respects, or must include an opinion to the effect that an overall opinion cannot be expressed. If an overall opinion cannot be expressed, explain why. The attestation report on management's assessment of internal control over financial reporting may be separate from the accountant's report.
PART 228 - INTEGRATED DISCLOSURE SYSTEM FOR SMALL BUSINESS ISSUERS
4. The general authority citation for Part 228 is revised to read as follows:
Authority: 15 U.S.C. 77e, 77f, 77g, 77h, 77j, 77k, 77s, 77z-2, 77z-3, 77aa(25), 77aa(26), 77ddd, 77eee, 77ggg, 77hhh, 77jjj, 77nnn, 77sss, 78 l , 78m, 78n, 78o, 78u-5, 78w, 78 ll , 78mm, 80a-8, 80a-29, 80a-30, 80a-37, 80b-11, 7202, 7241, and 7262; and 18 U.S.C. 1350, unless otherwise noted.
* * * * *
5. Revise §228.307 to read as follows:
§228.307 (Item 307) Disclosure controls and procedures.
Disclose the conclusions of the small business issuer's principal executive and principal financial officers, or persons performing similar functions, regarding the effectiveness of the small business issuer's disclosure controls and procedures (as defined in §240.13a-15(e) or 240.15d-15(e) of this chapter) as of the end of the period covered by the report, based on the evaluation of these controls and procedures required by paragraph (b) of §240.13a-15 or 240.15d-15 of this chapter.
6. Add §228.308 to read as follows:
§228.308 (Item 308) Internal control over financial reporting.
(a) Management's annual report on internal control over financial reporting . Provide a report of management on the small business issuer's internal control over financial reporting (as defined in §240.13a-15(f) or 240.15d-15(f) of this chapter) that contains:
(1) A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the small business issuer;
(2) A statement identifying the framework used by management to evaluate the effectiveness of the small business issuer's internal control over financial reporting as required by paragraph (c) of §240.13a-15 or 240.15d-15 of this chapter;
(3) Management's assessment of the effectiveness of the small business issuer's internal control over financial reporting as of the end of the small business issuer's most recent fiscal year, including a statement as to whether or not internal control over financial reporting is effective. This discussion must include disclosure of any material weakness in the small business issuer's internal control over financial reporting identified by management. Management is not permitted to conclude that the small business issuer's internal control over financial reporting is effective if there are one or more material weaknesses in the small business issuer's internal control over financial reporting; and
(4) A statement that the registered public accounting firm that audited the financial statements included in the annual report containing the disclosure required by this Item has issued an attestation report on management's assessment of the small business issuer's internal control over financial reporting.
(b) Attestation report of the registered public accounting firm . Provide the registered public accounting firm's attestation report on management's assessment of the small business issuer's internal control over financial reporting in the small business issuer's annual report containing the disclosure required by this Item.
(c) Changes in internal control over financial reporting . Disclose any change in the small business issuer's internal control over financial reporting identified in connection with the evaluation required by paragraph (d) of §240.13a-15 or 240.15d-15 of this chapter that occurred during the small business issuer's last fiscal quarter (the small business issuer's fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the small business issuer's internal control over financial reporting.
Instructions to Item 308
1. The small business issuer must maintain evidential matter, including documentation, to provide reasonable support for management's assessment of the effectiveness of the small business issuer's internal control over financial reporting.
2. A small business issuer that is an Asset-Backed Issuer (as defined in §240.13a-14(g) and §240.15d-14(g) of this chapter) is not required to disclose the information required by this Item.
7. Amend §228.401 by removing the phrase "internal controls and procedures for financial reporting" in paragraph (e)(2)(iv) of Item 401 and adding, in its place, the phrase "internal control over financial reporting".
8. Amend §228.601 by:
a. Removing the last sentence of paragraph (a)(1);
b. Revising the Exhibit Table;
c. Revising paragraph (b)(7) to read "No exhibit required.";
d. Revising the heading in paragraph (b)(11) to read "Statement re: computation of per share earnings"; and
e. Revising paragraphs (b)(27) through (b)(98).
The revisions read as follows.
§228.601 (Item 601) Exhibits.
* * * * *
(b) Description of exhibits. * * *
(27) through (30) [Reserved]
(31) Rule 13a-14(a)/15d-14(a) Certifications. The certifications required by Rule 13a-14(a) (17 CFR 240.13a-14(a)) or Rule 15d-14(a) (17 CFR 240.15d-14(a)) exactly as set forth below:
CERTIFICATIONS*
I, [identify the certifying individual], certify that:
- I have reviewed this [specify report] of [identify small business issuer];
- Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this report;
- Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respects the financial condition, results of operations and cash flows of the small business issuer as of, and for, the periods presented in this report;
- The small business issuer's other certifying officer(s) and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-15(e) and 15d-15(e)) and internal control over financial reporting (as defined in Exchange Act Rules 13a-15(f) and 15d-15(f)) for the small business issuer and have:
(a) Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to ensure that material information relating to the small business issuer, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this report is being prepared;
(b) Designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles;
(c) Evaluated the effectiveness of the small business issuer's disclosure controls and procedures and presented in this report our conclusions about the effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and
(d) Disclosed in this report any change in the small business issuer's internal control over financial reporting that occurred during the small business issuer's most recent fiscal quarter (the small business issuer's fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the small business issuer's internal control over financial reporting; and
- The small business issuer's other certifying officer(s) and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the small business issuer's auditors and the audit committee of the small business issuer's board of directors (or persons performing the equivalent functions):
(a) All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the small business issuer's ability to record, process, summarize and report financial information; and
(b) Any fraud, whether or not material, that involves management or other employees who have a significant role in the small business issuer's internal control over financial reporting.
Date: ...............
_______________________
[Signature]
[Title]
* Provide a separate certification for each principal executive officer and principal financial officer of the small business issuer. See Rules 13a-14(a) and 15d-14(a)
(32) Section 1350.
(i) The certifications required by Rule 13a-14(b) (17 CFR 240.13a-14(b)) or Rule 15d-14(b) (17 CFR 240.15d-14(b)) and Section 1350 of Chapter 63 of Title 18 of the United States Code (18 U.S.C. 1350).
(ii) A certification furnished pursuant to this Item will not be deemed "filed" for purposes of section 18 of the Exchange Act (15 U.S.C. 78r), or otherwise subject to the liability of that section. Such certification will not be deemed to be incorporated by reference into any filing under the Securities Act or the Exchange Act, except to the extent that the small business issuer specifically incorporates it by reference.
(33) through (98) [Reserved]
* * * * *
PART 229 - STANDARD INSTRUCTIONS FOR FILING FORMS UNDER SECURITIES ACT OF 1933, SECURITIES EXCHANGE ACT OF 1934 AND ENERGY POLICY AND CONSERVATION ACT OF 1975 - REGULATION S-K
9. The general authority citation for Part 229 is revised to read as follows:
Authority: 15 U.S.C. 77e, 77f, 77g, 77h, 77j, 77k, 77s, 77z-2, 77z-3, 77aa(25), 77aa(26), 77ddd, 77eee, 77ggg, 77hhh, 77iii, 77jjj, 77nnn, 77sss, 78c, 78i, 78j, 78 l , 78m, 78n, 78o, 78u-5, 78w, 78 ll , 78mm, 79e, 79j, 79n, 79t, 80a-8, 80a-9, 80a-20, 80a-29, 80a-30, 80a-31(c), 80a-37, 80a-38(a), 80a-39, 80b-11, 7202, 7241, and 7262; and 18 U.S.C. 1350, unless otherwise noted.
* * * * *
10. By revising §229.307 to read as follows:
§229.307 (Item 307) Disclosure controls and procedures.
Disclose the conclusions of the registrant's principal executive and principal financial officers, or persons performing similar functions, regarding the effectiveness of the registrant's disclosure controls and procedures (as defined in §240.13a-15(e) or 240.15d-15(e) of this chapter) as of the end of the period covered by the report, based on the evaluation of these controls and procedures required by paragraph (b) of §240.13a-15 or 240.15d-15 of this chapter.
11. By adding §229.308 to read as follows:
§229.308 (Item 308) Internal control over financial reporting.
(a) Management's annual report on internal control over financial reporting . Provide a report of management on the registrant's internal control over financial reporting (as defined in §240.13a-15(f) or 240.15d-15(f) of this chapter) that contains:
(1) A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the registrant;
(2) A statement identifying the framework used by management to evaluate the effectiveness of the registrant's internal control over financial reporting as required by paragraph (c) of §240.13a-15 or 240.15d-15 of this chapter;
(3) Management's assessment of the effectiveness of the registrant's internal control over financial reporting as of the end of the registrant's most recent fiscal year, including a statement as to whether or not internal control over financial reporting is effective. This discussion must include disclosure of any material weakness in the registrant's internal control over financial reporting identified by management. Management is not permitted to conclude that the registrant's internal control over financial reporting is effective if there are one or more material weaknesses in the registrant's internal control over financial reporting; and
(4) A statement that the registered public accounting firm that audited the financial statements included in the annual report containing the disclosure required by this Item has issued an attestation report on management's assessment of the registrant's internal control over financial reporting.
(b) Attestation report of the registered public accounting firm . Provide the registered public accounting firm's attestation report on management's assessment of the registrant's internal control over financial reporting in the registrant's annual report containing the disclosure required by this Item.
(c) Changes in internal control over financial reporting . Disclose any change in the registrant's internal control over financial reporting identified in connection with the evaluation required by paragraph (d) of §240.13a-15 or 240.15d-15 of this chapter that occurred during the registrant's last fiscal quarter (the registrant's fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant's internal control over financial reporting.
Instructions to Item 308
1. The registrant must maintain evidential matter, including documentation, to provide reasonable support for management's assessment of the effectiveness of the registrant's internal control over financial reporting.
2. A registrant that is an Asset-Backed Issuer (as defined in §240.13a-14(g) and §240.15d-14(g) of this chapter) is not required to disclose the information required by this Item.
12. By amending §229.401 by removing the phrase "internal controls and procedures for financial reporting" in paragraph (h)(2)(iv) of Item 401 and adding, in its place, the phrase "internal control over financial reporting".
13. By amending §229.601 by:
a. Removing the second and third sentences of paragraph (a)(1);
b. Revising the Exhibit Table which follows the Instructions to the Exhibit Table; and
c. Revising paragraphs (b)(27) through (b)(98).
The revisions read as follows:
§229.601 (Item 601) Exhibits.
(a) Exhibits and index required. * * *
Instructions to the Exhibit Table
* * * * *
(b) Description of exhibits . * * *
(27) through (30) [Reserved]
(31) Rule 13a-14(a)/15d-14(a) Certifications . The certifications required by Rule 13a-14(a) (17 CFR 240.13a-14(a)) or Rule 15d-14(a) (17 CFR 240.15d-14(a)) exactly as set forth below:
CERTIFICATIONS*
I, [identify the certifying individual], certify that:
- I have reviewed this [specify report] of [identify registrant];
- Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this report;
- Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respects the financial condition, results of operations and cash flows of the registrant as of, and for, the periods presented in this report;
- The registrant's other certifying officer(s) and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-15(e) and 15d-15(e)) and internal control over financial reporting (as defined in Exchange Act Rules 13a-15(f) and 15d-15(f)) for the registrant and have:
(a) Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this report is being prepared;
(b) Designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles;
(c) Evaluated the effectiveness of the registrant's disclosure controls and procedures and presented in this report our conclusions about the effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and
(d) Disclosed in this report any change in the registrant's internal control over financial reporting that occurred during the registrant's most recent fiscal quarter (the registrant's fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant's internal control over financial reporting; and
- The registrant's other certifying officer(s) and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the registrant's auditors and the audit committee of the registrant's board of directors (or persons performing the equivalent functions):
(a) All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the registrant's ability to record, process, summarize and report financial information; and
(b) Any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant's internal control over financial reporting.
Date: ...............
_______________________
[Signature]
[Title]
* Provide a separate certification for each principal executive officer and principal financial officer of the registrant. See Rules 13a-14(a) and 15d-14(a).
(32) Section 1350 Certifications .
(i) The certifications required by Rule 13a-14(b) (17 CFR 240.13a-14(b)) or Rule 15d-14(b) (17 CFR 240.15d-14(b)) and Section 1350 of Chapter 63 of Title 18 of the United States Code (18 U.S.C. 1350).
(ii) A certification furnished pursuant to this item will not be deemed "filed" for purposes of Section 18 of the Exchange Act (15 U.S.C. 78r), or otherwise subject to the liability of that section. Such certification will not be deemed to be incorporated by reference into any filing under the Securities Act or the Exchange Act, except to the extent that the registrant specifically incorporates it by reference.
(33) through (98) [Reserved]
* * * * *
PART 240 - GENERAL RULES AND REGULATIONS, SECURITIES EXCHANGE ACT OF 1934
14. The general authority citation for Part 240 is revised to read as follows:
Authority: 15 U.S.C. 77c, 77d, 77g, 77j, 77s, 77z-2, 77z-3, 77eee, 77ggg, 77nnn, 77sss, 77ttt, 78c, 78d, 78e, 78f, 78g, 78i, 78j, 78j-1, 78k, 78k-1, 78 l , 78m, 78n, 78o, 78p, 78q, 78s,
78u-5, 78w, 78x, 78 ll , 78mm, 79q, 79t, 80a-20, 80a-23, 80a-29, 80a-37, 80b-3, 80b-4, 80b-11, 7202, 7241, 7262, and 7263; and 18 U.S.C. 1350, unless otherwise noted.
* * * * *
15. By revising §240.12b-15 to read as follows:
§240.12b-15 Amendments.
All amendments must be filed under cover of the form amended, marked with the letter "A" to designate the document as an amendment, e.g. , "10-K/A," and in compliance with pertinent requirements applicable to statements and reports. Amendments filed pursuant to this section must set forth the complete text of each item as amended. Amendments must be numbered sequentially and be filed separately for each statement or report amended. Amendments to a statement may be filed either before or after registration becomes effective. Amendments must be signed on behalf of the registrant by a duly authorized representative of the registrant. An amendment to any report required to include the certifications as specified in §240.13a-14(a) or §240.15d-14(a) must include new certifications by each principal executive and principal financial officer of the registrant, and an amendment to any report required to be accompanied by the certifications as specified in §240.13a-14(b) or §240.15d-14(b) must be accompanied by new certifications by each principal executive and principal financial officer of the registrant. The requirements of the form being amended will govern the number of copies to be filed in connection with a paper format amendment. Electronic filers satisfy the provisions dictating the number of copies by filing one copy of the amendment in electronic format. See §232.309 of this chapter (Rule 309 of Regulation S-T).
16. By amending §240.13a-14 by:
a. Revising paragraphs (a) and (b);
b. Removing paragraph (c);
c. Redesignating paragraphs (d), (e) and (f) as paragraphs (c), (d) and (e);
d. Revising newly redesignated paragraph (c), the introductory text of newly redesignated paragraph (d) and newly redesignated paragraph (e); and
e. Adding and reserving new paragraph (f).
The revisions read as follows:
§240.13a-14 Certification of disclosure in annual and quarterly reports.
(a) Each report, including transition reports, filed on Form 10-Q, Form 10-QSB, Form 10-K, Form 10-KSB, Form 20-F or Form 40-F (§§249.308a, 249.308b, 249.310, 249.310b, 249.220f or 249.240f of this chapter) under section 13(a) of the Act (15 U.S.C. 78m(a)), other than a report filed by an Asset-Backed Issuer (as defined in paragraph (g) of this section), must include certifications in the form specified in the applicable exhibit filing requirements of such report and such certifications must be filed as an exhibit to such report. Each principal executive and principal financial officer of the issuer, or persons performing similar functions, at the time of filing of the report must sign a certification.
(b) Each periodic report containing financial statements filed by an issuer pursuant to section 13(a) of the Act (15 U.S.C. 78m(a)) must be accompanied by the certifications required by Section 1350 of Chapter 63 of Title 18 of the United States Code (18 U.S.C. 1350) and such certifications must be furnished as an exhibit to such report as specified in the applicable exhibit requirements for such report. Each principal executive and principal financial officer of the issuer (or equivalent thereof) must sign a certification. This requirement may be satisfied by a single certification signed by an issuer's principal executive and principal financial officers.
(c) A person required to provide a certification specified in paragraph (a) or (b) of this section may not have the certification signed on his or her behalf pursuant to a power of attorney or other form of confirming authority.
(d) Each annual report filed by an Asset-Backed Issuer (as defined in paragraph (g) of this section) under section 13(a) of the Act (15 U.S.C. 78m(a)) must include a certification addressing the following items: * * *
(e) With respect to Asset-Backed Issuers, the certification required by paragraph (d) of this section must be signed by the trustee of the trust (if the trustee signs the annual report) or the senior officer in charge of securitization of the depositor (if the depositor signs the annual report). Alternatively, the senior officer in charge of the servicing function of the master servicer (or entity performing the equivalent functions) may sign the certification.
(f) [Reserved]
* * * * *
17. Section 240.13a-15 is revised to read as follows:
§240.13a-15 Controls and procedures.
(a) Every issuer that has a class of securities registered pursuant to section 12http://www.law.uc.edu/CCL/34Act/sec12.html of the Act (15 U.S.C. 78 l ), other than an Asset-Backed Issuer (as defined in §240.13a-14(g)), a small business investment company registered on Form N-5 (§§ 239.24 and 274.5 of this chapter), or a unit investment trust as defined by section 4(2) of the Investment Company Act of 1940 (15 U.S.C. 80a-4(2)), must maintain disclosure controls and procedures (as defined in paragraph (e) of this section) and internal control over financial reporting (as defined in paragraph (f) of this section).
(b) Each such issuer's management must evaluate, with the participation of the issuer's principal executive and principal financial officers, or persons performing similar functions, the effectiveness of the issuer's disclosure controls and procedures, as of the end of each fiscal quarter, except that management must perform this evaluation:
(1) In the case of a foreign private issuer (as defined in §240.3b-4) as of the end of each fiscal year; and
(2) In the case of an investment company registered under section 8 of the Investment Company Act of 1940 (15 U.S.C. 80a-8), within the 90-day period prior to the filing date of each report requiring certification under §270.30a-2 of this chapter.
(c) The management of each such issuer, other than an investment company registered under section 8 of the Investment Company Act of 1940, must evaluate, with the participation of the issuer's principal executive and principal financial officers, or persons performing similar functions, the effectiveness, as of the end of each fiscal year, of the issuer's internal control over financial reporting. The framework on which management's evaluation of the issuer's internal control over financial reporting is based must be a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment.
(d) The management of each such issuer, other than an investment company registered under section 8 of the Investment Company Act of 1940, must evaluate, with the participation of the issuer's principal executive and principal financial officers, or persons performing similar functions, any change in the issuer's internal control over financial reporting, that occurred during each of the issuer's fiscal quarters, or fiscal year in the case of a foreign private issuer, that has materially affected, or is reasonably likely to materially affect, the issuer's internal control over financial reporting.
(e) For purposes of this section, the term disclosure controls and procedures means controls and other procedures of an issuer that are designed to ensure that information required to be disclosed by the issuer in the reports that it files or submits under the Act (15 U.S.C. 78a et seq .) is recorded, processed, summarized and reported, within the time periods specified in the Commission's rules and forms. Disclosure controls and procedures include, without limitation, controls and procedures designed to ensure that information required to be disclosed by an issuer in the reports that it files or submits under the Act is accumulated and communicated to the issuer's management, including its principal executive and principal financial officers, or persons performing similar functions, as appropriate to allow timely decisions regarding required disclosure.
(f) The term internal control over financial reporting is defined as a process designed by, or under the supervision of, the issuer's principal executive and principal financial officers, or persons performing similar functions, and effected by the issuer's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:
(1) Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer;
(2) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer; and
(3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer's assets that could have a material effect on the financial statements.
18. By amending §240.15d-14 by:
a. Revising paragraphs (a) and (b);
b. Removing paragraph (c);
c. Redesignating paragraphs (d), (e) and (f) as paragraphs (c), (d) and (e);
d. Revising newly redesignated paragraph (c), the introductory text of newly redesignated paragraph (d) and newly redesignated paragraph (e); and
e. Adding and reserving new paragraph (f).
The revisions read as follows.
§240.15d-14 Certification of disclosure in annual and quarterly reports.
(a) Each report, including transition reports, filed on Form 10-Q, Form 10-QSB, Form 10-K, Form 10-KSB, Form 20-F or Form 40-F (§§249.308a, 249.308b, 249.310, 249.310b, 249.220f or 249.240f of this chapter) under section 15(d) of the Act (15 U.S.C. 78o(d)), other than a report filed by an Asset-Backed Issuer (as defined in paragraph (g) of this section), must include certifications in the form specified in the applicable exhibit filing requirements of such report and such certifications must be filed as an exhibit to such report. Each principal executive and principal financial officer of the issuer, or persons performing similar functions, at the time of filing of the report must sign a certification.
(b) Each periodic report containing financial statements filed by an issuer pursuant to section 15(d) of the Act (15 U.S.C. 78o(d)) must be accompanied by the certifications required by Section 1350 of Chapter 63 of Title 18 of the United States Code (18 U.S.C. 1350) and such certifications must be furnished as an exhibit to such report as specified in the applicable exhibit requirements for such report. Each principal executive and principal financial officer of the issuer (or equivalent thereof) must sign a certification. This requirement may be satisfied by a single certification signed by an issuer's principal executive and principal financial officers.
(c) A person required to provide a certification specified in paragraph (a) or (b) of this section may not have the certification signed on his or her behalf pursuant to a power of attorney or other form of confirming authority.
(d) Each annual report filed by an Asset-Backed Issuer (as defined in paragraph (g) of this section) under section 15(d) of the Act (15 U.S.C. 78o(d)), must include a certification addressing the following items: * * *
(e) With respect to Asset-Backed Issuers, the certification required by paragraph (d) of this section must be signed by the trustee of the trust (if the trustee signs the annual report) or the senior officer in charge of securitization of the depositor (if the depositor signs the annual report). Alternatively, the senior officer in charge of the servicing function of the master servicer (or entity performing the equivalent functions) may sign the certification.
(f) [Reserved]
* * * * *
19. Section 240.15d-15 is revised to read as follows:
§240.15d-15 Controls and procedures.
(a) Every issuer that files reports under section 15(d) of the Act (15 U.S.C. 78o(d)), other than an Asset-Backed Issuer (as defined in §240.15d-14(g) of this chapter), a small business investment company registered on Form N-5 (§§239.24 and 274.5 of this chapter), or a unit investment trust as defined in section 4(2) of the Investment Company Act of 1940 (15 U.S.C. 80a-4(2)), must maintain disclosure controls and procedures (as defined in paragraph (e) of this section) and internal control over financial reporting (as defined in paragraph (f) of this section).
(b) Each such issuer's management must evaluate, with the participation of the issuer's principal executive and principal financial officers, or persons performing similar functions, the effectiveness of the issuer's disclosure controls and procedures, as of the end of each fiscal quarter, except that management must perform this evaluation:
(1) In the case of a foreign private issuer (as defined in §240.3b-4) as of the end of each fiscal year; and
(2) In the case of an investment company registered under section 8 of the Investment Company Act of 1940 (15 U.S.C. 80a-8), within the 90-day period prior to the filing date of each report requiring certification under §270.30a-2 of this chapter.
(c) The management of each such issuer, other than an investment company registered under section 8 of the Investment Company Act of 1940, must evaluate, with the participation of the issuer's principal executive and principal financial officers, or persons performing similar functions, the effectiveness, as of the end of each fiscal year, of the issuer's internal control over financial reporting. The framework on which management's evaluation of the issuer's internal control over financial reporting is based must be a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment.
(d) The management of each such issuer, other than an investment company registered under section 8 of the Investment Company Act of 1940, must evaluate, with the participation of the issuer's principal executive and principal financial officers, or persons performing similar functions, any change in the issuer's internal control over financial reporting, that occurred during each of the issuer's fiscal quarters, or fiscal year in the case of a foreign private issuer, that has materially affected, or is reasonably likely to materially affect, the issuer's internal control over financial reporting.
(e) For purposes of this section, the term disclosure controls and procedures means controls and other procedures of an issuer that are designed to ensure that information required to be disclosed by the issuer in the reports that it files or submits under the Act (15 U.S.C. 78a et seq .) is recorded, processed, summarized and reported, within the time periods specified in the Commission's rules and forms. Disclosure controls and procedures include, without limitation, controls and procedures designed to ensure that information required to be disclosed by an issuer in the reports that it files or submits under the Act is accumulated and communicated to the issuer's management, including its principal executive and principal financial officers, or persons performing similar functions, as appropriate to allow timely decisions regarding required disclosure.
(f) The term internal control over financial reporting is defined as a process designed by, or under the supervision of, the issuer's principal executive and principal financial officers, or persons performing similar functions, and effected by the issuer's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:
(1) Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer;
(2) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer; and
(3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer's assets that could have a material effect on the financial statements.
PART 249 - FORMS, SECURITIES EXCHANGE ACT OF 1934
20. The general authority citation for Part 249 and the subauthority citation for "Section 249.331" are revised to read as follows:
Authority : 15 U.S.C. 78a et seq ., 7202, 7233, 7241, 7262, 7264, and 7265; and 18 U.S.C. 1350, unless otherwise noted.
* * * * *
Section 249.331 is also issued under 15 U.S.C. 78j-1, 7202, 7233, 7241, 7264, 7265; and 18 U.S.C. 1350.
* * * * *
21. By amending Form 10-Q (referenced in §249.308a) by:
a. Removing the last sentence of General Instruction G;
b. Revising Item 4 to "Part I - Financial Information;" and
c. Removing the "Certifications" section after the "Signatures" section.
The revision reads as follows.
Note: The text of Form 10-Q does not, and this amendment will not, appear in the Code of Federal Regulations.
FORM 10-Q
* * * * *
Part I - Financial Information
* * * * *
Item 4. Controls and Procedures.
Furnish the information required by Items 307 of Regulation S-K (17 CFR 229.307) and 308(c) of Regulation S-K (17 CFR 229.308(c)).
* * * * *
22. By amending Form 10-QSB (referenced in §249.308b) by:
a. Removing the last sentence of paragraph 2 of General Instruction F;
b. Revising Item 3 to "Part I - Financial Information;" and
c. Removing the "Certifications" section after the "Signatures" section.
The revision reads as follows.
Note: The text of Form 10-QSB does not, and this amendment will not, appear in the Code of Federal Regulations.
FORM 10-QSB
* * * * *
Part I - Financial Information
* * * * *
Item 3. Controls and Procedures.
Furnish the information required by Items 307 of Regulation S-B (17 CFR 228.307) and 308(c) of Regulation S-B (17 CFR 228.308(c)).
* * * * *
23. By amending Form 10-K (referenced in § 249.310) by:
a. Removing the phrase "(who also must provide the certification required by Rule 13a-14 (17 CFR 240.13a-14) or Rule 15d-14 (17 CFR 240.15d-14) exactly as specified in this form)" each time it appears in the first sentence of paragraph (2)(a) of General Instruction D.;
b. Removing the phrase "(Items 1 through 9 or any portion thereof)" and adding, in its place, the phrase "(Items 1 through 9A or any portion thereof)" in the first sentence of paragraph (2) of General Instruction G.;
c. Removing the phrase "(Items 10, 11, 12 and 13)" and adding, in its place, the phrase "(Items 10, 11, 12, 13 and 14)" in the first sentence of paragraph (3) of General Instruction G.;
d. Removing the phrase "(Items 1 through 9)" in the third sentence of paragraph (4) of General Instruction G and adding, in its place, the phrase "(Items 1 through 9A)";
e. Removing the phrase "(Items 10 through 13)" in the third sentence of paragraph (4) of General Instruction G and adding, in its place, the phrase "(Items 10 through 14)";
f. Redesignating Item 14 of Part III as Item 9A of Part II and revising newly redesignated Item 9A;
g. Redesignating Item 15 in Part III as Item 14;
h. "Instruction to Item 15" is corrected to read "Instruction to Item 14";
i. Redesignating Item 16 in Part IV as Item 15;
j. Removing the "Certifications" section after the "Signatures" section and before the reference to "Supplemental Information to be Furnished With Reports Filed Pursuant to Section 15(d) of the Act by Issuers Which Have Not Registered Securities Pursuant to Section 12 of the Act."
The revision reads as follows.
Note: The text of Form 10-K does not, and this amendment will not, appear in the Code of Federal Regulations.
Form 10-K
* * * * *
PART II
* * * * *
Item 9A. Controls and procedures.
Furnish the information required by Items 307 and 308 of Regulation S-K (17 CFR 229.307 and 229.308).
24. By amending Form 10-KSB (referenced in § 249.310b) by:
a. Removing the phrase "(who also must provide the certification required by Rule 13a-14 (17 CFR 240.13a-14) or Rule 15d-14 (17 CFR 240.15d-14) exactly as specified in this form)" each time it appears in the first sentence of paragraph 2 of General Instruction C.;
b. Redesignating Item 14 of Part III as Item 8A of Part II and revising newly redesignated Item 8A;
c. Redesignating Item 15 of Part III as Item 14;
d. "Instruction to Item 15" is corrected to read "Instruction to Item 14";
e. Revising Item 2 of Part III of "INFORMATION REQUIRED IN ANNUAL REPORT OF TRANSITIONAL SMALL BUSINESS ISSER"; and
f. Removing the "Certifications" section after the "Signatures" section and before the reference to "Supplemental Information to be Furnished With Reports Filed Pursuant to Section 15(d) of the Exchange Act By Non-reporting Issuers."
Note: The text of Form 10-KSB does not, and this amendment will not, appear in the Code of Federal Regulations.
Form 10-KSB
* * * * *
PART II
* * * * *
Item 8A. Controls and Procedures
Furnish the information required by Items 307 of Regulation S-B (17 CFR 228.307) and 308 of Regulation S-B (17 CFR 228.308).
* * * * *
INFORMATION REQUIRED IN ANNUAL REPORT OF TRANSITIONAL SMALL BUSINESS ISSER
* * * * *
PART III
* * * * *
Item 2. Description of Exhibits.
As appropriate, the issuer should file those documents required to be filed as Exhibit Number 2, 3, 5, 6, and 7 in Part III of Form 1-A. The registrant also shall file:
(12) Additional exhibits - Any additional exhibits which the issuer may wish to file, which shall be so marked as to indicate clearly the subject matters to which they refer.
(13) Form F-X - Canadian issuers shall file a written irrevocable consent and power of attorney on Form F-X.
(31) The exhibit described in paragraph (b)(31) of Item 601 of Regulation S-B.
(32) The exhibit described in paragraph (b)(32) of Item 601 of Regulation S-B.
25. By amending Form 20-F (referenced in §249.220f) by:
a. Revising paragraph (e) to General Instruction B;
b. Revising Item 15 of Part II;
c. Removing the phrase "internal controls and procedures for financial reporting" in paragraph (b)(4) of Item 16A of Part II and adding, in its place, the phrase "internal control over financial reporting";
d. Removing the "Certifications" section after the "Signatures" section and before the section referencing "Instructions as to Exhibits"; and
e. In the "Instruction as to Exhibits" section, redesignate paragraph 12 as paragraph 14 and add new paragraph 12 and paragraph 13.
The revisions and addition read as follows.
Note: The text of Form 20-F does not, and this amendment will not, appear in the Code of Federal Regulations.
FORM 20-F
* * * * *
GENERAL INSTRUCTIONS
* * * * *
B. General Rules and Regulations That Apply to this Form.
* * * * *
(e) Where the Form is being used as an annual report filed under Section 13(a) or 15(d) of the Exchange Act, provide the certifications required by Rule 13a-14 (17 CFR 240.13a-14) or Rule 15d-14 (17 CFR 240.15d-14).
* * * * *
PART II
* * * * *
Item 15. Controls and Procedures.
(a) Disclosure Controls and Procedures . Where the Form is being used as an annual report filed under Section 13(a) or 15(d) of the Exchange Act, disclose the conclusions of the issuer's principal executive and principal financial officers, or persons performing similar functions, regarding the effectiveness of the issuer's disclosure controls and procedures (as defined in 17 CFR 240.13a-15(e) or 240.15d-15(e)) as of the end of the period covered by the report, based on the evaluation of these controls and procedures required by paragraph (b) of 17 CFR 240.13a-15 or 240.15d-15.
(b) Management's annual report on internal control over financial reporting . Where the Form is being used as an annual report filed under Section 13(a) or 15(d) of the Exchange Act, provide a report of management on the issuer's internal control over financial reporting (as defined in 17 CFR 240.13a-15(f) or 240.15d-15(f)) that contains:
(1) A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the issuer;
(2) A statement identifying the framework used by management to evaluate the effectiveness of the issuer's internal control over financial reporting as required by paragraph (c) of 17 CFR 240.13a-15 or 240.15d-15;
(3) Management's assessment of the effectiveness of the issuer's internal control over financial reporting as of the end of the issuer's most recent fiscal year, including a statement as to whether or not internal control over financial reporting is effective. This discussion must include disclosure of any material weakness in the issuer's internal control over financial reporting identified by management. Management is not permitted to conclude that the issuer's internal control over financial reporting is effective if there are one or more material weaknesses in the issuer's internal control over financial reporting; and
(4) A statement that the registered public accounting firm that audited the financial statements included in the annual report containing the disclosure required by this Item has issued an attestation report on management's assessment of the issuer's internal control over financial reporting.
(c) Attestation report of the registered public accounting firm . Where the Form is being used as an annual report filed under Section 13(a) or 15(d) of the Exchange Act, provide the registered public accounting firm's attestation report on management's assessment of the issuer's internal control over financial reporting in the issuer's annual report containing the disclosure required by this Item.
(d) Changes in internal control over financial reporting . Disclose any change in the issuer's internal control over financial reporting identified in connection with the evaluation required by paragraph (d) of 17 CFR 240.13a-15 or 240.15d-15 that occurred during the period covered by the annual report that has materially affected, or is reasonably likely to materially affect, the issuer's internal control over financial reporting.
Instructions to Item 15 .
1. The issuer must maintain evidential matter, including documentation, to provide reasonable support for management's assessment of the effectiveness of the issuer's internal control over financial reporting.
2. An issuer that is an Asset-Backed Issuer (as defined in 17 CFR 240.13a-14(g) and 17 CFR 240.15d-14(g)) is not required to disclose the information required by this Item.
* * * * *
Instructions as to Exhibits
* * * * *
12. The certifications required by Rule 13a-14(a) (17 CFR 240.13a-14(a)) or Rule 15d-14(a) (17 CFR 240.15d-14(a)) exactly as set forth below:
CERTIFICATIONS*
I, [identify the certifying individual], certify that:
- I have reviewed this annual report on Form 20-F of [identify company];
- Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this report;
- Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respects the financial condition, results of operations and cash flows of the company as of, and for, the periods presented in this report;
- The company's other certifying officer(s) and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-15(e) and 15d-15(e)) and internal control over financial reporting (as defined in Exchange Act Rules 13a-15(f) and 15d-15(f)) for the company and have:
(a) Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to ensure that material information relating to the company, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this report is being prepared;
(b) Designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles;
(c) Evaluated the effectiveness of the company's disclosure controls and procedures and presented in this report our conclusions about the effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and
(d) Disclosed in this report any change in the company's internal control over financial reporting that occurred during the period covered by the annual report that has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting; and
- The company's other certifying officer(s) and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the company's auditors and the audit committee of the company's board of directors (or persons performing the equivalent functions):
(a) All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the company's ability to record, process, summarize and report financial information; and
(b) Any fraud, whether or not material, that involves management or other employees who have a significant role in the company's internal control over financial reporting.
Date: ...............
_______________________
[Signature]
[Title]
* Provide a separate certification for each principal executive officer and principal financial officer of the company. See Rules 13a-14(a) and 15d-14(a).
13. (a) The certifications required by Rule 13a-14(b) (17 CFR 240.13a-14(b)) or Rule 15d-14(b) (17 CFR 240.15d-14(b)) and Section 1350 of Chapter 63 of Title 18 of the United States Code (18 U.S.C. 1350).
(b) A certification furnished pursuant to Rule 13a-14(b) (17 CFR 240.13a-14(b)) or Rule 15d-14(b) (17 CFR 240.15d-14(b)) and Section 1350 of Chapter 63 of Title 18 of the United States Code (18 U.S.C. 1350) will not be deemed "filed" for purposes of Section 18 of the Exchange Act [15 U.S.C. 78r], or otherwise subject to the liability of that section. Such certification will not be deemed to be incorporated by reference into any filing under the Securities Act or the Exchange Act, except to the extent that the company specifically incorporates it by reference.
26. By amending Form 40-F (referenced in §249.240f) by:
a. Revising paragraph (6) to General Instruction B; and
b. Removing the phrase "internal controls and procedures for financial reporting" and adding, in its place, the phrase "internal control over financial reporting" in paragraph (8)(b)(4) of General Instruction B; and
c. Removing the "Certifications" section after the "Signatures" section.
The revision reads as follows.
Note: The text of Form 40-F does not, and this amendment will not, appear in the Code of Federal Regulations.
FORM 40-F
* * * * *
GENERAL INSTRUCTIONS
* * * * *
B. Information To Be Filed on this Form
* * * * *
(6) Where the Form is being used as an annual report filed under Section 13(a) or 15(d) of the Exchange Act:
(a) (1) Provide the certifications required by Rule 13a-14(a) (17 CFR 240.13a-14(a)) or Rule 15d-14(a) (17 CFR 240.15d-14(a)) as an exhibit to this report exactly as set forth below.
CERTIFICATIONS*
I, [identify the certifying individual], certify that:
- I have reviewed this annual report on Form 40-F of [identify issuer];
- Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this report;
- Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respects the financial condition, results of operations and cash flows of the issuer as of, and for, the periods presented in this report;
- The issuer's other certifying officer(s) and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-15(e) and 15d-15(e)) and internal control over financial reporting (as defined in Exchange Act Rules 13a-15(f) and 15d-15(f)) for the issuer and have:
(a) Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to ensure that material information relating to the issuer, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this report is being prepared;
(b) Designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles;
(c) Evaluated the effectiveness of the issuer's disclosure controls and procedures and presented in this report our conclusions about the effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and
(d) Disclosed in this report any change in the issuer's internal control over financial reporting that occurred during the period covered by the annual report that has materially affected, or is reasonably likely to materially affect, the issuer's internal control over financial reporting; and
- The issuer's other certifying officer(s) and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the issuer's auditors and the audit committee of the issuer's board of directors (or persons performing the equivalent functions):
(a) All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the issuer's ability to record, process, summarize and report financial information; and
(b) Any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer's internal control over financial reporting.
Date: ...............
_______________________
[Signature]
[Title]
* Provide a separate certification for each principal executive officer and principal financial officer of the issuer. See Rules 13a-14(a) and 15d-14(a).
(2) (i) Provide the certifications required by Rule 13a-14(b) (17 CFR 240.13a-14(b)) or Rule 15d-14(b) (17 CFR 240.15d-14(b)) and Section 1350 of Chapter 63 of Title 18 of the United States Code (18 U.S.C. 1350) as an exhibit to this report.
(ii) A certification furnished pursuant to Rule 13a-14(b) (17 CFR 240.13a-14(b)) or Rule 15d-14(b) (17 CFR 240.15d-14(b)) and Section 1350 of Chapter 63 of Title 18 of the United States Code (18 U.S.C. 1350) will not be deemed "filed" for purposes of Section 18 of the Exchange Act [15 U.S.C. 78r], or otherwise subject to the liability of that section. Such certification will not be deemed to be incorporated by reference into any filing under the Securities Act or the Exchange Act, except to the extent that the issuer specifically incorporates it by reference.
(b) Disclosure Controls and Procedures . Where the Form is being used as an annual report filed under Section 13(a) or 15(d) of the Exchange Act, disclose the conclusions of the issuer's principal executive and principal financial officers, or persons performing similar functions, regarding the effectiveness of the issuer's disclosure controls and procedures (as defined in 17 CFR 240.13a-15(e) or 240.15d-15(e)) as of the end of the period covered by the report, based on the evaluation of these controls and procedures required by paragraph (b) of 17 CFR 240.13a-15 or 240.15d-15.
(c) Management's annual report on internal control over financial reporting . Where the Form is being used as an annual report filed under Section 13(a) or 15(d) of the Exchange Act, provide a report of management on the issuer's internal control over financial reporting (as defined in 17 CFR 240.13a-15(f) or 240.15d-15(f)) that contains:
(1) A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the issuer;
(2) A statement identifying the framework used by management to evaluate the effectiveness of the issuer's internal control over financial reporting as required by paragraph (c) of 17 CFR 240.13a-15 or 240.15d-15;
(3) Management's assessment of the effectiveness of the issuer's internal control over financial reporting as of the end of the issuer's most recent fiscal year, including a statement as to whether or not internal control over financial reporting is effective. This discussion must include disclosure of any material weakness in the issuer's internal control over financial reporting identified by management. Management is not permitted to conclude that the issuer's internal control over financial reporting is effective if there are one or more material weaknesses in the issuer's internal control over financial reporting; and
(4) A statement that the registered public accounting firm that audited the financial statements included in the annual report containing the disclosure required by this Item has issued an attestation report on management's assessment of the issuer's internal control over financial reporting.
(d) Attestation report of the registered public accounting firm . Where the Form is being used as an annual report filed under Section 13(a) or 15(d) of the Exchange Act, provide the registered public accounting firm's attestation report on management's assessment of internal control over financial reporting in the annual report containing the disclosure required by this Item.
(e) Changes in internal control over financial reporting . Disclose any change in the issuer's internal control over financial reporting identified in connection with the evaluation required by paragraph (d) of 17 CFR 240.13a-15 or 240.15d-15 that occurred during the period covered by the annual report that has materially affected, or is reasonably likely to materially affect, the issuer's internal control over financial reporting.
Instructions to paragraphs (b), (c), (d) and (e) of General Instruction B. 6.
1. The issuer must maintain evidential matter, including documentation, to provide reasonable support for management's assessment of the effectiveness of the issuer's internal control over financial reporting.
2. An issuer that is an Asset-Backed Issuer (as defined in 17 CFR 240.13a-14(g) and 240.15d-14(g)) is not required to disclose the information required by this Item.
* * * * *
PART 270 - RULES AND REGULATIONS, INVESTMENT COMPANY ACT OF 1940
27. The authority citation for Part 270 is amended by revising the subauthority citation for "Section 270.30a-2" to read as follows:
Authority : 15 U.S.C. 80a-1 et seq ., 80a-34(d), 80a-37, and 80a-39, unless otherwise noted.
* * * * *
Section 270.30a-2 is also issued under 15 U.S.C. 78m, 78o(d), 80a-8, 80a-29, 7202, and 7241; and 18 U.S.C. 1350, unless otherwise noted.
* * * * *
28. By revising the last sentence of §270.8b-15 to read as follows:
§270.8b-15 Amendments.
* * * An amendment to any report required to include the certifications as specified in §270.30a-2(a) must include new certifications by each principal executive and principal financial officer of the registrant, and an amendment to any report required to be accompanied by the certifications as specified in §240.13a-14(b) or §240.15d-14(b) and §270.30a-2(b) must be accompanied by new certifications by each principal executive and principal financial officer of the registrant.
29. Section 270.30a-2 is revised to read as follows:
§270.30a-2 Certification of Form N-CSR.
(a) Each report filed on Form N-CSR (§§249.331 and 274.128 of this chapter) by a registered management investment company must include certifications in the form specified in Item 10(a)(2) of Form N-CSR and such certifications must be filed as an exhibit to such report. Each principal executive and principal financial officer of the investment company, or persons performing similar functions, at the time of filing of the report must sign a certification.
(b) Each report on Form N-CSR filed by a registered management investment company under Section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m(a) or 78o(d)) and that contains financial statements must be accompanied by the certifications required by Section 1350 of Chapter 63 of Title 18 of the United States Code (18 U.S.C. 1350) and such certifications must be furnished as an exhibit to such report as specified in Item 10(b) of Form N-CSR. Each principal executive and principal financial officer of the investment company (or equivalent thereof) must sign a certification. This requirement may be satisfied by a single certification signed by an investment company's principal executive and principal financial officers.
(c) A person required to provide a certification specified in paragraph (a) or (b) of this section may not have the certification signed on his or her behalf pursuant to a power of attorney or other form of confirming authority.
30. By revising §270.30a-3 to read as follows:
§ 270.30a-3 Controls and procedures.
(a) Every registered management investment company, other than a small business investment company registered on Form N-5 (§§239.24 and 274.5 of this chapter), must maintain disclosure controls and procedures (as defined in paragraph (c) of this section) and internal control over financial reporting (as defined in paragraph (d) of this section).
(b) Each such registered management investment company's management must evaluate, with the participation of the company's principal executive and principal financial officers, or persons performing similar functions, the effectiveness of the company's disclosure controls and procedures, within the 90-day period prior to the filing date of each report on Form N-CSR (§§ 249.331 and 274.128 of this chapter).
(c) For purposes of this section, the term disclosure controls and procedures means controls and other procedures of a registered management investment company that are designed to ensure that information required to be disclosed by the investment company on Form N-CSR (§§249.331 and 274.128 of this chapter) is recorded, processed, summarized, and reported within the time periods specified in the Commission's rules and forms. Disclosure controls and procedures include, without limitation, controls and procedures designed to ensure that information required to be disclosed by an investment company in the reports that it files or submits on Form N-CSR is accumulated and communicated to the investment company's management, including its principal executive and principal financial officers, or persons performing similar functions, as appropriate to allow timely decisions regarding required disclosure.
(d) The term internal control over financial reporting is defined as a process designed by, or under the supervision of, the registered management investment company's principal executive and principal financial officers, or persons performing similar functions, and effected by the company's board of directors, management, and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:
(1) Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the investment company;
(2) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the investment company are being made only in accordance with authorizations of management and directors of the investment company; and
(3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the investment company's assets that could have a material effect on the financial statements.
PART 249 - FORMS, SECURITIES EXCHANGE ACT OF 1934
PART 274 - FORMS PRESCRIBED UNDER THE INVESTMENT COMPANY ACT OF
1940
31. The authority citation for Part 274 is amended by revising the authority citation for "Section 274.128" to read as follows:
Authority : 15 U.S.C. 77f, 77g, 77h, 77j, 77s, 78c(b), 78 l , 78m, 78n, 78o(d), 80a-8, 80a-24, 80a-26, and 80a-29, unless otherwise noted.
* * * * *
Section 274.128 is also issued under 15 U.S.C. 78j-1, 7202, 7233, 7241, 7264, and 7265; and 18 U.S.C. 1350.
32. Form N-SAR (referenced in §§ 249.330 and 274.101) is amended by revising the reference "internal controls and procedures for financial reporting" in paragraph (b)(6)(iv) of the Instruction to Sub-Item 102P3 to read "internal control over financial reporting".
33. Form N-CSR (referenced in §§ 249.331 and 274.128) is amended by:
a. In General Instruction D, revising the reference "Items 4, 5, and 10(a)" to read "Items 4, 5, and 10(a)(1)";
b. Revising paragraph 2.(a) of General Instruction F;
c. In paragraph (c) of Item 2, revising the reference "Item 10(a)" to read "Item 10(a)(1)";
d. In paragraph (f)(1) of Item 2, revising the reference "Item 10(a)" to read "Item 10(a)(1)";
e. In paragraph (b)(4) of Item 3, revising the reference "internal controls and procedures for financial reporting" to read "internal control over financial reporting";
f. Revising Item 9; and
g. In Item 10:
(i) The introductory text and paragraphs (a) and (b) are redesignated as paragraphs (a), (a)(1) and (a)(2), respectively;
(ii) Revising newly redesignated paragraph (a) and newly redesignated paragraph (a)(2); and
(iii) Adding new paragraph (b) and an Instruction to Item 10.
The revisions and additions read as follows.
Note: The text of Form N-CSR does not, and these amendments will not, appear in the Code of Federal Regulations.
FORM N-CSR
* * * * *
GENERAL INSTRUCTIONS
* * * * *
F. Signature and Filing of Report.
* * * * *
2. (a) The report must be signed by the registrant, and on behalf of the registrant by its principal executive and principal financial officers.
* * * * *
Item 9. Controls and Procedures.
(a) Disclose the conclusions of the registrant's principal executive and principal financial officers, or persons performing similar functions, regarding the effectiveness of the registrant's disclosure controls and procedures (as defined in Rule 30a-3(c) under the Act (17 CFR 270.30a-3(c))) as of a date within 90 days of the filing date of the report that includes the disclosure required by this paragraph, based on the evaluation of these controls and procedures required by Rule 30a-3(b) under the Act (17 CFR 270.30a-3(b)) and Rules 13a-15(b) or 15d-15(b) under the Exchange Act (17 CFR 240.13a-15(b) or 240.15d-15(b)).
(b) Disclose any change in the registrant's internal control over financial reporting (as defined in Rule 30a-3(d) under the Act (17 CFR 270.30a-3(d)) that occurred during the registrant's last fiscal half-year (the registrant's second fiscal half-year in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant's internal control over financial reporting.
Item 10. Exhibits.
(a) File the exhibits listed below as part of this Form.
* * * * *
(a)(2) A separate certification for each principal executive and principal financial officer of the registrant as required by Rule 30a-2(a) under the Act (17 CFR 270.30a-2(a)), exactly as set forth below:
CERTIFICATIONS
I, [identify the certifying individual], certify that:
1. I have reviewed this report on Form N-CSR of [identify registrant];
2. Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this report;
3. Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respects the financial condition, results of operations, changes in net assets, and cash flows (if the financial statements are required to include a statement of cash flows) of the registrant as of, and for, the periods presented in this report;
4. The registrant's other certifying officer(s) and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Rule 30a-3(c) under the Investment Company Act of 1940) and internal control over financial reporting (as defined in Rule 30a-3(d) under the Investment Company Act of 1940) for the registrant and have:
(a) Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this report is being prepared;
(b) Designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles;
(c) Evaluated the effectiveness of the registrant's disclosure controls and procedures and presented in this report our conclusions about the effectiveness of the disclosure controls and procedures, as of a date within 90 days prior to the filing date of this report based on such evaluation; and
(d) Disclosed in this report any change in the registrant's internal control over financial reporting that occurred during the registrant's most recent fiscal half-year (the registrant's second fiscal half-year in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant's internal control over financial reporting; and
5. The registrant's other certifying officer(s) and I have disclosed to the registrant's auditors and the audit committee of the registrant's board of directors (or persons performing the equivalent functions):
(a) All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the registrant's ability to record, process, summarize, and report financial information; and
(b) Any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant's internal control over financial reporting.
Date: ...............
_______________________
[Signature]
[Title]
(b) If the report is filed under Section 13(a) or 15(d) of the Exchange Act, provide the certifications required by Rule 30a-2(b) under the Act (17 CFR 270.30a-2(b)), Rule 13a-14(b) or Rule 15d-14(b) under the Exchange Act (17 CFR 240.13a-14(b) or 240.15d-14(b)), and Section 1350 of Chapter 63 of Title 18 of the United States Code (18 U.S.C. 1350) as an exhibit. A certification furnished pursuant to this paragraph will not be deemed "filed" for purposes of
Section 18 of the Exchange Act (15 U.S.C. 78r), or otherwise subject to the liability of that section. Such certification will not be deemed to be incorporated by reference into any filing under the Securities Act of 1933 or the Exchange Act, except to the extent that the registrant specifically incorporates it by reference.
Instruction to Item 10 .
Letter or number the exhibits in the sequence that they appear in this item.
* * * * *
By the Commission.
J. Lynn Taylor
Assistant Secretary
June 5, 2003
______________________________
1 | 17 CFR 228.10 et seq. |
2 | 17 CFR 229.10 et seq. |
3 | 17 CFR 249.310. |
4 | 17 CFR 249.310b. |
5 | 17 CFR 249.308a. |
6 | 17 CFR 249.308b. |
7 | 17 CFR 249.220f. |
8 | 17 CFR 249.240f. |
9 | 17 CFR 240.12b-15. |
10 | 17 CFR 240.13a-14. |
11 | 17 CFR 240.13a-15. |
12 | 17 CFR 140.15d-14. |
13 | 17 CFR 240.15d-15. |
14 | 15 U.S.C. 78a et seq. |
15 | 17 CFR 210.1-02 and 2-02. |
16 | 17 CFR 210.1-01 et seq. |
17 | 17 CFR 270.8b-15. |
18 | 17 CFR 270.30a-2. |
19 | 17 CFR 270.30a-3. |
20 | 15 U.S.C. 80a-1 et seq . |
21 | 17 CFR 249.331; 17 CFR 274.128. |
22 | 17 CFR 249.330; 17 CFR 274.101. |
23 | Pub. L. 107-204, 116 Stat. 745 (2002). |
24 | Section 404 of the Sarbanes-Oxley Act does not apply to any registered investment company due to an exemption in Section 405 of the Sarbanes-Oxley Act. See sec. 405 of Pub. L. 107-204, 116 Stat. 745 (2002). |
25 | On April 25, 2003, the Commission approved the PCAOB's adoption of the auditing and attestation standards in existence as of April 16, 2003 as interim auditing and attestation standards. See Release No. 33-8222 (Apr. 25, 2003) [68 FR 23335]. |
26 | Release No. 33-8138 (Oct. 22, 2002) [67 FR 66208] ("Proposing Release"). The public comments we received can be viewed in our Public Reference Room at 450 Fifth Street, NW, Washington, DC 20549, in File No. S7-40-02. Public comments submitted by electronic mail are available on our website, www.sec.gov . |
27 | The commenters on File No. S7-40-02 are as follows: Academics Paul Walker, Ph.D., CPA; Accounting Firms BDO Seidman, LLP; Deloitte & Touche LLP; Ernst & Young LLP; KPMG LLP; PricewaterhouseCoopers LLP; Associations America's Community Bankers; American Bankers Association; American Bar Association; American Corporate Counsel Association; American Institute of Certified Public Accountants; Association for Financial Professionals; the Association of the Bar of the City of New York; Association for Investment Management and Research; the Business Roundtable; Community Bankers Association of New York State; Edison Electric Institute; Financial Executives International; Independent Community Bankers of America; the Institute of Internal Auditors; Maine Bankers Association; Manufacturers Alliance/MAPI Inc.; Massachusetts Bankers Association; National Association of Real Estate Investment Trusts; New York Bankers Association; New York County Lawyers' Association; New York State Bar Association; Software & Information Industry Association; Software Finance and Tax Executives Council; Wisconsin Bankers Association; Corporations Cardinal Health, Inc.; Compass Bancshares, Inc.; Computer Sciences Corporation; Eastman Kodak Company; Eli Lilly and Company; Emerson Electric Co.; Executive Responsibility Advisors, LLC; Greif Bros.; Intel Corporation; International Paper Company; Protiviti; Government Entities Federal Reserve Bank of Atlanta; Small Business Administration; Law Firms Dykema Gossett PLLC; Karr Tuttle Campbell; Fried, Frank, Harris, Shriver and Jacobson; Sutherland, Asbill & Brennan LLP; Individuals Thomas Damman; D. Scott Huggins; Tim J. Leech; Simon Lorne; Ralph Saul; Lee Squire; Robert J. Stuckey; Foreign Companies Siemens Aktiengesellcraft; International Entities British Bankers Association; British Embassy; Canadian Bankers Association; Confederation of British Industry; European Commission; Institute of Chartered Accountants of England and Wales. |
28 | 15 U.S.C. 78m(a) or 78o(d). Section 13(a) of the Exchange Act requires every issuer of a security registered pursuant to Section 12 of the Exchange Act [15 U.S.C. 78 l ] to file with the Commission such annual reports and such quarterly reports as the Commission may prescribe. Section 15(d) of the Exchange Act requires each issuer that has filed a registration statement that has become effective pursuant to the Securities Act of 1933 [15 U.S.C. 77a et seq. ] (the "Securities Act") to file such supplementary and periodic information, documents and reports as may be required pursuant to Section 13 in respect of a security registered pursuant to Section 12, unless the duty to file under Section 15(d) has been suspended for any fiscal year. See Exchange Act Rule 12h-3 [17 CFR 240.12h-3]. |
29 | 18 U.S.C. 1350. |
30 | See Release No. 34-46300 (Aug. 2, 2002) [67 FR 51508] at n. 11, containing supplemental information on the Commission's original certification proposal in light of the enactment of the Sarbanes-Oxley Act of 2002. |
31 | See Release No. 33-8124 (Aug. 28, 2002) [67 FR 57276] . |
32 | See Release No. IC-25914 (Jan. 27, 2003) [68 FR 5348]. |
33 | See Release No. 33-8212 (Mar. 21, 2003) [68 FR 15600]. |
34 | These methods have included: (1) submitting the statement as non-public paper correspondence; (2) submitting the statement as non-public electronic correspondence with the EDGAR filing of the periodic report; (3) submitting the statement under (1) or (2) above supplemented by an Item 9 Form 8-K report so that the statement is publicly available; (4) submitting the statement as an exhibit to the periodic report; and (5) submitting the statement in the text of the periodic report (typically, below the signature block for the report). |
35 | We proposed to use this term throughout the rules implementing the annual internal control report requirements of Section 404 of the Sarbanes-Oxley Act, as well as the revised Sarbanes-Oxley Section 302 certification requirements, to complement the defined term "disclosure controls and procedures" referred to in the Section 302 requirements. Congress used the term "internal controls" in Section 302 and "internal control structure and procedures for financial reporting" in Section 404. |
36 | For a history of the development of internal control standards, see Steven J. Root, Beyond COSO-Internal Control to Enhance Corporate Governance (1998). |
37 | In 1941, the Commission adopted amendments to Rules 2-02 and 3-07 of Regulation S-X that formally codified this practice. See Accounting Series Release No. 21 (Feb. 5, 1941) [11 FR 10921]. |
38 | An early definition for the term appeared in Internal Control--Elements Of a Coordinated System and Its Importance to Management and the Independent Public Accountant, a report published in 1949 by the American Institute of Accountants, the predecessor to the American Institute of Certified Public Accountants ("AICPA"). The report defined internal control to mean "the plan of organization and all of the coordinate methods and measures adopted within a business to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to prescribed managerial policies." Subsequent definitions of the term attempted to clarify the distinction by labeling the controls relevant to an audit as "internal accounting controls" and the non-accounting controls as "administrative controls." The AICPA officially dropped these distinctions in 1988. See Root, at p. 76. |
39 | Title I of Pub. Law No. 95-213 (1977). Beginning in 1973, as a result of the work of the Office of the Watergate Special Prosecutor, the Commission became aware of a pattern of conduct involving the use of corporate funds for illegal domestic political contributions. A subsequent Commission investigation revealed that instances of undisclosed questionable or illegal corporate payments--both domestic and foreign--were widespread. On May 12, 1976, the Commission submitted to the Senate Banking, Housing and Urban Affairs Committee a report entitled Report on Questionable and Illegal Corporate Payments and Practices . The report described and analyzed the Commission's investigation concerning improper corporate payments and outlined legislative and other responses that the Commission recommended to remedy these problems. One of the Commission's recommendations was that Congress enact legislation aimed expressly at enhancing the accuracy of the corporate books and records and the reliability of the audit process. |
40 | See Exchange Act Section 13(b)(2) [15 U.S.C. 78m(b)(2)]. |
41 | The Treadway Commission was sponsored by the AICPA, the American Accounting Association, the Financial Executives International (formerly Financial Executives Institute), the Institute of Internal Auditors and the Institute of Management Accountants (formerly the National Association of Accountants). The Treadway Commission's report, the Report of the National Commission on Fraudulent Financial Reporting (Oct. 1987), is available at www.coso.org. |
42 | See COSO, Internal Control-Integrated Framework (1992) ("COSO Report"). In 1994, COSO published an addendum to the Reporting to External Parties volume of the COSO Report. The addendum discusses the issue of, and provides a vehicle for, expanding the scope of a public management report on internal control to address additional controls pertaining to safeguarding of assets. In 1996, COSO issued a supplement to its original framework to address the application of internal control over financial derivative activities. |
43 | Auditing Standards Board, AICPA, Statement on Auditing Standards No. 78, Consideration of Internal Control in a Financial Statement Audit: An Amendment to Statement on Auditing Standards No. 55 (1995). |
44 | See letters regarding File No. S7-40-02 of: America's Community Bankers ("ACB"); American Corporate Counsel Association ("ACCA"); American Institute of Certified Public Accountants ("AICPA"); Compass Bancshares, Inc. ("Compass"); Computer Sciences Corporation ("CSC"); the Edison Electric Institute ("EEI"); the Independent Community Bankers of America ("ICBA"); the Institute of Internal Auditors ("IIA"); the Association of the Bar of the City of New York, Committee on Corporate Law ("NYCB-CCL"); Protiviti; and Siemens AG. |
45 | See letters regarding File No. S7-40-02 of ACB and ICBA. |
46 | See letters regarding File No. S7-40-02 of: the American Bar Association, Committee on the Federal Regulation of Securities and the Committee on Law and Accounting ("ABA"); the Federal Reserve Bank of Atlanta ("FED"); IIA; Simon Lorne ("Lorne"); and Pricewaterhouse Coopers LLP ("PwC"). |
47 | See ABA letter regarding File No. S7-40-02. |
48 | See letters regarding File No. S7-40-02 of: AICPA; Compass; Deloitte & Touche LLP ("D&T"); IIA; KPMG LLP ("KPMG"); and PwC. |
49 | See new Item 308 of Regulations S-K and S-B, amended Items 1-02 and 2-02 of Regulation S-X; amended Items 307and 401 of Regulations S-K and S-B; amended Exchange Act Rules 13a-14, 13a-15, 15d-14 and 15d-15; and amended Forms 20-F and 40-F. |
50 | The COSO Report states that the composition of a company's board and audit committee, and how the directors fulfill their responsibilities related to the financial reporting process, are key aspects of the company's control environment. An important element of the company's internal control over financial reporting "...is the involvement of the board or audit committee in overseeing the financial reporting process, including assessing the reasonableness of management's accounting judgments and estimates and reviewing key filings with regulatory agencies." See COSO Report at 130. The Commission similarly has stated in the past that both a company's management and board have important roles to play in establishing a supportive control environment. In its 1981 Statement of Policy regarding the FCPA, the Commission stated, "In the last analysis, the key to an adequate `control environment' is an approach on the part of the board and top management which makes clear what is expected and that conformity to these expectations will be rewarded while breaches will be punished." See Release No. 34-17500 (Jan. 29, 1981) [46 FR 11544]. |
51 | See amended Exchange Act Rules 13a-14(d) and 15d-14(d). The scope of the term "preparation of financial statements in accordance with generally accepted accounting principles" in the definition encompasses financial statements prepared for regulatory reporting purposes. |
52 | Codification of Statements on Auditing Standards Section 317 requires auditors to consider a company's compliance with laws and regulations that have a direct and material effect on the financial statements. |
53 | 15 U.S.C. 78m(b)(2)(B). |
54 | Section 103 of the Sarbanes-Oxley Act requires the PCAOB to establish by rule standards to be used by registered public accounting firms in the preparation and issuance of audit reports. In carrying out this responsibility, the PCAOB must include in the auditing standards that it adopts, among other things: a requirement that each registered public accounting firm describe in each audit report the scope of its testing of the company's internal control structure and procedures performed in fulfilling its internal control evaluation and reporting required by Section 404(b) of the Sarbanes-Oxley Act; present in the audit report (or attestation report) its findings from such testing; and an evaluation of whether the company's internal control structure and procedures: (1) include maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the company's assets; and (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with the authorization of management and directors of the company. In the audit report (or attestation report), the registered public accounting firm also must describe, at a minimum, material weaknesses in such internal controls and any material noncompliance found on the basis of such testing. See Sections 103(a)(2)(A)(iii)(I), (II) and (III) of the Sarbanes-Oxley Act. See also, Interim Professional Attestation Standards Rule 3300T, adopted in PCAOB Release No. 2003-006 (Apr. 18, 2003), and approved by the Commission on April 25, 2003. |
55 | Control procedures were described as policies and procedures in addition to the control environment and accounting system that management established to provide reasonable assurance that specific entity objectives will be achieved. SAS 55 also states that control procedures may generally be categorized as procedures that include, among other things, "adequate safeguards over access to and use of assets and records, such as secured facilities and authorization for access to computer programs and data files." See Statement on Auditing Standards No. 55, paragraph no. 11. |
56 | See COSO "Addendum to Reporting to External Parties," Internal Control-Integrated Framework , (1994) ("1994 Addendum") at p. 154. |
57 | The COSO Report states: "Although these [objectives relating to safeguarding of resources] are primarily operations objectives, certain aspects of safeguarding can fall under other categories. . . [T]he goal of ensuring that any such asset losses are properly reflected in the entity's financial statements represents a financial reporting objective." The category in which an objective falls can sometimes depend on the circumstances. Continuing the discussion of safeguarding of assets, controls to prevent theft of assets - such as maintaining a fence around inventory and a gatekeeper verifying proper authorization of requests for movement of goods - fall under the operations category. These controls normally would not be relevant to the reliability of financial statement preparation, because any inventory losses would be detected pursuant to periodic physical inspection and recorded in the financial statements. However, if for financial reporting purposes management relies solely on perpetual inventory records, as may be the case for interim reporting, the physical security controls would then also fall within the financial reporting category. This is because these physical security controls, along with other controls over the perpetual inventory records, would be needed to ensure reliable financial reporting. Id. at 37. |
58 | As stated in n. 1 to the 1994 Addendum, the FCPA requires companies, among other things, to "devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that (i) transactions are executed in accordance with management's general or specific authorization; (ii) transactions are recorded as necessary ... to maintain accountability for assets; (iii) access to assets is permitted only in accordance with management's general or specific authorization; and (iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences." |
59 | See letters regarding File No. S7-40-02 of: ABA; CSC; EEI; FED; Eastman Kodak Co. ("Kodak"); KPMG; Protiviti; and PwC. |
60 | See letters regarding File No. S7-40-02 of: ACCA and Financial Executives Institute ("FEI"). |
61 | See letters regarding File No. S7-40-02 of: AICPA; BDO Seidman, LLP ("BDO"); D&T; Ernst & Young LLP ("E&Y"); KPMG; and PwC. |
62 | Management must state whether or not the company's internal control over financial reporting is effective. A negative assurance statement indicating that nothing has come to management's attention to suggest that the company's internal control over financial reporting is not effective will not be acceptable. |
63 | A "material weakness" is defined in Statement on Auditing Standards No. 60 (codified in Codification of Statements on Auditing Standards AU §325) as a reportable condition in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements caused by errors or fraud in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions. See discussion in Section II.B.3.b. below. |
64 | See new Item 308 of Regulations S-B and S-K, Item 15 of Form 20-F and General Instruction B(6) of Form 40-F. |
65 | Many commenters cited the absence of evaluative criteria in AU §319 in their arguments against the reference to AU §319 in our proposed definition of "internal controls and procedures for financial reporting." |
66 | See amended Exchange Act Rule 13a-15(c) or 15d-15(c), amended Item 15 of Form 20-F and amended General Instruction (B) to Form 40-F. |
67 | The Guidance on Assessing Control published by the Canadian Institute of Chartered Accountants and the Turnbull Report published by the Institute of Chartered Accountants in England & Wales are examples of other suitable frameworks. |
68 | We are aware that some of the evaluation frameworks used to assess a foreign company's internal controls in its home country do not require a statement regarding whether the company's system of internal control has been effective. Under our final rules, management of a foreign reporting company who relies on such an evaluation framework used in its home country is nevertheless under an obligation to state affirmatively whether its company's internal controls are, or are not, effective. |
69 | See AT §101, paragraph 24. |
70 | See Release No. 33-8183 (Jan. 28, 2003) [68 FR 6006]. |
71 | Management's acceptance of responsibility for the documentation and testing performed by the auditor does not satisfy the auditor independence rules. |
72 | This is consistent with interim attestation standards. See AT §501. |
73 | The term "significant deficiency" has the same meaning as the term "reportable condition" as used in AU §325 and AT §501. The terms "material weakness" and "significant deficiency" both represent deficiencies in the design or operation of internal control that could adversely affect a company's ability to record, process, summarize and report financial data consistent with the assertions of management in the company's financial statements, with a "material weakness" constituting a greater deficiency than a "significant deficiency." Because of this relationship, it is our judgment that an aggregation of significant deficiencies could constitute a material weakness in a company's internal control over financial reporting. |
74 | See new Item 308(d) of Regulations S-B and S-K. |
75 | See, for example, letters re: File No. S7-40-02 of: ABA; AICPA; BDO; Intel; and Eli Lilly and Company. |
76 | Section 13(b)(2)(A) of the Exchange Act [15 U.S.C. 78m(b)(2)(A)] requires companies to "make and keep books, records, and accounts, which in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer." See also Section 13(b)(2)(B) of the Exchange Act [15 U.S.C. 78m(b)(2)(B)] and In re Microsoft Corp. , Administrative Proceeding File No. 3-10789 (June 3, 2002). In the Microsoft order, the Commission stated that such books and records include not only general ledgers and accounting entries, but also memoranda and internal corporate reports. We have previously stated, as a matter of policy, that under Section 13(b)(2) "every public company needs to establish and maintain records of sufficient accuracy to meet adequately four interrelated objectives: appropriate reflection of corporate transactions and the disposition of assets; effective administration of other facets of the issuer's internal control system; preparation of its financial statements in accordance with generally accepted accounting principles; and proper auditing." Statement of Policy Regarding the Foreign Corrupt Practices Act of 1977, Release No. 34-17500 (Jan. 29, 1981) [46 FR 11544]. |
77 | See Instruction 1 to new Item 308 of Regulations S-K and S-B, Instruction 1 to Item 15 of Form 20-F and Instruction 1 to paragraphs (b), (c), (d) and (e) of General Instruction B.6 to Form 40-F. |
78 | This statement should not be interpreted to mean that management personally must conduct the necessary activities to evaluate the design and test the operating effectiveness of the company's internal control over financial reporting. Activities, including those necessary to provide management with the information on which it bases its assessment, may be conducted by non-management personnel acting under the supervision of management. |
79 | See Statements on Standards for Attestation Engagements No. 10. |
80 | See Exchange Act Rules 13a-15(b) and 15d-15(b) [17 CFR 240.13a-15(b) and 240.15d-15(b)]. |
81 | See letters regarding File No. S7-40-02 of: AICPA; Executive Responsibility; FED; and Protiviti. |
82 | See Protiviti letter regarding File No. S7-40-02. |
83 | See letters regarding File No. S7-40-02 of: ABA; ACB; ACCA; Association for Financial Professionals ("AFP"); Am. Bankers Assoc.; BDO; Business Roundtable ("BRT"); Computer Sciences Corporation ("CSC"); Compass; Thomas Damman ("Damman"); EEI; Emerson Electric Co. ("Emerson"); FEI; Fried, Frank, Harris, Shriver and Jacobson ("Fried Frank"); International Paper Company ("IPC"); ICBA; NYCB-CCL; New York State Bar Association ("NYSBA"); Siemens AG ("Siemens"); Software & Information Industry Association ("SIIA"); and Software Finance and Tax Executives Council ("SOFTEC"). |
84 | See Damman letter regarding File No. S7-40-02. |
85 | See letters regarding File No. S7-40-02 of: ABA; ACB; ACCA; BRT; CSC; Emerson; Fried Frank; ICBA; IPC; NYCB-CCL; SIIA; and SOFTEC. |
86 | See letters regarding File No. S7-40-02 of: Am. Bankers Assoc.; CSC; Fried Frank. |
87 | See letters regarding File No. S7-40-02 of: Damman; Compass; EEI; Executive Responsibility Advisors, LLC ("Executive Responsibility"); and Siemens. |
88 | See letters regarding File No. S7-40-02 of: ABA and BDO. |
89 | See BDO letter regarding File No. S7-40-02. |
90 | See ABA letter regarding File No. S7-40-02. |
91 | See Emerson letter regarding File No. S7-40-02. |
92 | See Exchange Act Rules 13a-15(d) and 15d-15(d) [17 CFR 240.13a-15(d) and 240.15d-15(d)]. |
93 | For example, where a component of internal control over financial reporting is subsumed within disclosure controls and procedures, even where systems testing of that component would clearly be required as part of the annual evaluation of internal control over financial reporting, management could make a different determination of the appropriate nature of the evaluation of that component for purposes of a quarterly evaluation of disclosure controls and procedures. |
94 | See Exchange Act Rules 13a-15(b) and 15d-15(b). |
95 | See ABA letter regarding File No. S7-40-02. |
96 | See Intel letter regarding File No. S7-40-02. |
97 | See Release No. 33-8128 (Sept. 16, 2002) [67 FR 58480]. The final rule amendments do not require that the evaluation take place on the last day of the period, but that the statement of effectiveness of the issuer's disclosure controls and internal control over financial reporting be as of the end of the period. |
98 | We have also made conforming changes to Forms 20-F and 40-F to clarify that the management of a foreign private issuer must disclose in the issuer's annual report filed on Form 20-F or 40-F any change in the issuer's internal control over financial reporting that occurred during the period covered by the annual report and that materially affected, or is reasonably likely to affect, this internal control. See Item 15(d) of Form 20-F and General Instruction B(6)(e) of Form 40-F. |
99 | See Exchange Act Rules 10b-5 and 12b-20 [17 CFR 240.10b-5 and 17 CFR 240.12b-20]. |
100 | This is the disclosure required by paragraph 5 of the certification form. |
101 | 15 U.S.C. 78m(b)(2). |
102 | See Codification of Statement on Auditing Standards AU §319.18. |
103 | Pub. L. 102-242, 105 Stat. 2242 (1991). |
104 | See Section 405 of the Sarbanes-Oxley Act. |
105 | See Section II. J. below. |
106 | 12 U.S.C. 1831m. |
107 | The designated laws and regulations are federal laws and regulations concerning loans to insiders and federal and state laws and regulations concerning dividend restrictions. See 12 CFR Part 363, Appendix A, Guideline 12. |
108 | See 12 CFR 363.2, adopted in 58 FR 31332. These requirements only apply to an insured depository institution with total assets of $500 million or more. We recognize that the FDIC's regulations use the term "internal control structure and procedures for financial reporting" rather than the term "internal control over financial reporting" used in our rules. We think the differences in the meaning of the two terms are insignificant because both Section 36(b)(2) of the Federal Deposit Insurance Act and Section 404(a) of the Sarbanes-Oxley Act refer to "internal control structure and procedures for financial reporting." Nevertheless, the FDIC has defined the term "financial reporting" to include financial statements prepared in accordance with generally accepted accounting principles ("GAAP") and those prepared for regulatory reporting purposes (see FDIC Financial Institution Letter FIL-86-94, dated December 23, 1994). |
109 | 12 CFR 363.3. |
110 | 12 CFR 363.4(a) and (b). |
111 | 12 CFR Part 363. |
112 | Services and functions are considered "comparable" if the holding company prepares and submits the management assessment of the effectiveness of the internal control structure and procedures for financial reporting and compliance with the designated safety and soundness laws and regulations based on information concerning the relevant activities and operations of those subsidiary institutions subject to Part 363. See 12 CFR Part 363, Appendix A, Guideline 4. |
113 | This rating is more commonly known as the CAMELS rating, which addresses Capital adequacy, Asset quality, Management, Earnings, Liquidity and Sensitivity to market risk. See 12 CFR 363.1(b)(2). The appropriate federal banking agency may determine that an insured depository institution with total assets in excess of $9 billion that is a subsidiary of a holding company may not satisfy its FDIC internal control report requirement with an internal control report of the consolidated holding company's management if the agency determines that there could be a significant risk to the affected deposit insurance fund if the institution were allowed to satisfy its requirements in this manner. See 12 CFR 363.1(b)(3). |
114 | The FDIC's regulations do not specifically require that management identify the control framework used to evaluate the effectiveness of the institution's internal control over financial reporting. However, given the requirements of Sections 101 and 501 of the American Institute of Certified Public Accountants' attestation standards, the FDIC believes that the framework used must be disclosed or otherwise publicly available to all users of reports that institutions file with the FDIC pursuant to Part 363 of the FDIC's regulations. |
115 | The FDIC's regulations do require an independent public accountant to examine, attest to, and report separately on, the assertion of management concerning the institution's internal control structure and procedures for financial reporting, but these regulations do not require the accountant to be a registered public accounting firm. See 12 CFR 363.3(b). |
116 | Our rules do not provide an exemption that parallels the FDIC's exemption for insured depository institutions with less than $500 million in assets. It would be incongruous to provide an exemption in our rules for small depository institutions and not other small, non-depository Exchange Act reporting companies. |
117 | An insured depository institution subject to both the FDIC's requirements and our new requirements choosing to file a single report to satisfy both sets of requirements will file the report with its primary federal regulator under the Exchange Act and the FDIC, its primary federal regulator (if other than the FDIC), and any appropriate state depository institution supervisor under Part 363 of the FDIC's regulations. A holding company choosing to prepare a single report to satisfy both sets of requirements will file the report with the Commission under the Exchange Act and the FDIC, the primary federal regulator of the insured depository institution subsidiary subject to the FDIC's requirements, and any appropriate state depository institution supervisor under Part 363. |
118 | Management will not be permitted to conclude that the registrant's internal control over financial reporting is effective if there are one or more material weaknesses in the registrant's internal control over financial reporting. |
119 | An insured depository institution subject to both the FDIC's requirements and our new requirements choosing to file a single management report to satisfy both sets of requirements will file the attestation report with its primary federal regulator under the Exchange Act and the FDIC, its primary federal regulator (if other than the FDIC), and any appropriate state depository institution supervisor under Part 363 of the FDIC's regulations. A holding company choosing to prepare a single management report to satisfy both sets of requirements will file the attestation report with the Commission under the Exchange Act and the FDIC, the primary federal regulator of the insured depository institution subsidiary subject to the FDIC's requirements, and any appropriate state depository institution supervisor under Part 363. |
120 | See Section 405 of the Sarbanes-Oxley Act ("Nothing in section 401, 402, or 404, the amendments made by those sections, or the rules of the Commission under those sections shall apply to any investment company registered under section 8 of the Investment Company Act of 1940 (15 U.S.C. 80a-8)."). The provisions that would not extend to registered investment companies include amendments to Exchange Act rules 13a-15(c) and 15d-15(c) (requiring annual evaluation of the effectiveness of internal control over financial reporting); Exchange Act rules 13a-15(d) and 15d-15(d) (requiring quarterly evaluation of any change in internal control over financial reporting that has materially affected, or is reasonably likely to materially affect, internal control over financial reporting); and Items 308(a) and (b) of Regulations S-K and S-B (requiring annual report by management on internal control over financial reporting and attestation report on management's evaluation of internal control over financial reporting). |
121 | Proposed paragraph 4 of the certification section of proposed Form N-CSR. Proposing Release, note 26 above, 67 FR at 66250. We received 7 comment letters on the proposed changes to the certification rules with respect to investment companies in the Proposing Release. See letters regarding File No. S7-40-02 of: the Investment Company Institute ("ICI"); Protiviti; OppenheimerFunds, Inc. ("Oppenheimer"); The Association of the Bar of the City of New York; Leslie Ogg of Board Services Corporation ("Ogg"); Federated Funds; and D&T. |
122 | See letters regarding File No. S7-40-02 of: Association of the Bar of the City of New York; ICI; and Oppenheimer. |
123 | See Section 302(a)(4)(A) and (B) of the Sarbanes-Oxley Act (requiring signing officers to certify that they are responsible for establishing and maintaining internal controls and have designed the internal controls to ensure that material information relating to the issuer is made known to the signing officers). |
124 | For a discussion of changes to the form of the Section 302 certification for operating companies, see Section III. D. below. |
125 | Proposed Exchange Act Rules 13a-15(c) and 15d-15(c), proposed Investment Company Act Rule 30a-2(b)(4)(iii), and proposed Investment Company Act Rule 30a-3(b). |
126 | See letters regarding File No. S7-40-02 of: D&T; ICI; Ogg; and Oppenheimer. |
127 | See Release No. IC-25914 (Jan. 27, 2003) [68 FR 5348, 5352 n. 43] (noting that in the case of a series fund or family of investment companies in which the disclosure controls and procedures for each fund in the series or family are the same, a single evaluation of the effectiveness of the disclosure controls and procedures for the series or family could be used in multiple certifications for the funds in the series or family, as long as the evaluation has been performed within 90 days of the report on Form N-CSR). |
128 | See, for example, the letters regarding File No. S7-40-02 of: AICPA; D&T; CSC; E&Y; and Association of the Bar of the City of New York, Committee on Securities Regulation ("NYCB-CSR"). |
129 | See Section II. I., above, for compliance dates applicable to registered investment companies. |
130 | See Section V. below. |
131 | See letters regarding File No. S7-06-03 of: ABA; Cleary, Gottlieb, Steen & Hamilton ("Cleary"); Prof. Paul A. Griffin ("Griffin"); Intel Corporation ("Intel"); ICI; PwC; John Stalnaker and Patrick Derksen ("Stalnaker"); and Rooks Pitts ("Rooks"). |
132 | See letters regarding File No. S7-06-03 of: ABA; Cleary; Intel; and PwC. |
133 | See letters File No. S7-06-03 of ABA and Cleary. |
134 | Id. |
135 | Pub. L. No. 83-406, 88 Stat. 129 (1974). |
136 | See letters regarding File No. S7-06-03 of: ABA; Cleary; and PwC. |
137 | See ABA letter regarding File No. S7-06-03. |
138 | Id. |
139 | See Stalnaker letter regarding File No. S7-06-03. |
140 | See 149 Cong. Rec. S5325 (daily ed. Apr. 11, 2003). |
141 | Id. at S5331. |
142 | See Release No. 33-8212 (Mar. 21, 2003) [68 FR 15600] at fn. 37. |
143 | See ABA letter regarding File No. S7-06-03. |
144 | See letters regarding File No. S7-06-03 of: ABA; Cleary; Intel; and PwC. |
145 | We recently adopted Form N-CSR, to be used by registered management investment companies to file certified shareholder reports with the Commission. See Release No. IC-25914 (Jan. 27, 2003) [68 FR 5348]. As adopted, Form N-CSR requires the Section 302 certifications to be filed as an exhibit to a report on Form N-CSR. Item 10(b) of Form N-CSR. |
146 | Accordingly, we are revising Exchange Act Rules 13a-14 and 15d-14 to delete from those rules the detailed description of the contents of the required certifications and to revise the instructions to Forms 10-Q, 10-QSB, 10-K, and 10-KSB to delete the references to the Section 302 certification requirements. We are also adopting similar changes to Investment Company Act Rule 30a-2 and Form N-CSR. |
147 | See General Instruction A of Form N-CSR (Form N-CSR is a combined reporting form to be used for reports of registered management investment companies under Section 30(b)(2) of the Investment Company Act and Sections 13(a) or 15(d) of the Exchange Act); n. 28 above (discussing issuers covered by Sections 13(a) and 15(d) of the Exchange Act). Registered management investment companies that are required to file reports on Form N-CSR pursuant to Section 13(a) or 15(d) of the Exchange Act will be required to provide the Section 906 certifications under Exchange Act Rules 13a-14(b) and 15d-14(b) as well as Investment Company Act Rule 30a-2(b). By contrast, registered management investment companies that are required to file reports on Form N-CSR are required to provide the Section 302 certifications solely under Investment Company Act Rule 30a-2(a), which was adopted under Sections 13(a) and 15(d) of the Exchange Act as well as the Investment Company Act. Release No. 33-8124 (Aug. 28, 2002) [67 FR 57276, 57295]; Release No. IC-25914 (Jan. 27, 2003) [68 FR 5348, 5365]. |
148 | See also Section 3(b)(1) of the Sarbanes-Oxley Act, which provides that "[a] violation by any person of this Act . . . shall be treated for all purposes in the same manner as a violation of the Securities Exchange Act of 1934 . . . and any such person shall be subject to the same penalties, and to the same extent, as for a violation of that Act. . . ." |
149 | See Rule 302(b) of Regulation S-T [17 CFR 232.302(b)]. Among other things, this rule requires that an issuer maintain manually signed certifications or other authenticating documents. |
150 | See, for example, Item 601(b)(32)(ii) of Regulation S-K. |
151 | 15 U.S.C. 78r. |
152 | 15 U.S.C. 77k. |
153 | 5 U.S.C. 552 et seq. |
154 | See Exchange Act Rule 12b-15 [17 CFR 240.12b-15] and Investment Company Act Rule 8b-15 [17 CFR 270.8b-15]. Depending on the contents of the amendment, the form of certification required to be included may be subject to modification. |
155 | See Exchange Act Rules 13a-14(b) and 15d-14(b) [17 CFR 240.13a-14(b) and 240.15d-14(b)] and Investment Company Act Rule 30a-2(b) [17 CFR 270.30a-2(b)]. |
156 | See Release No. 33-8212 (Mar. 21, 2003) [68 FR 15600] at Section III. |
157 | We are modifying that interim guidance, however, to more closely parallel the provisions of Section 302 of Regulation S-T that require retention of manual signatures for electronically filed signed statements. Issuers furnishing Section 906 certifications to the Commission as an exhibit to the periodic reports to which they relate during the period covered by the interim guidance should insert the following legend after the text of each certification: "A signed original of this written statement required by Section 906, or other document authenticating, acknowledging, or otherwise adopting the signature that appears in typed form within the electronic version of this written statement required by Section 906, has been provided to [name of issuer] and will be retained by [name of issuer] and furnished to the Securities and Exchange Commission or its staff upon request." |
158 | Use of Exhibit 99 for this purpose will remain in effect until we announce that our EDGAR system permits registrants to file or furnish exhibits 31 and 32 for Section 302 and 906 certifications. We will issue a statement and post it on the Commission's website to announce this date as soon as it becomes known. |
159 | For a registered management investment company filing reports on Form N-CSR, the EDGAR document type should be EX-99.906CERT for the Section 906 certifications. |
160 | 44 U.S.C. 3501 et seq . |
161 | 44 U.S.C. 3507(d) and 5 CFR 1320.11. |
162 | See Rule 302 of Regulation S-T [17 CFR 232.302]. |
163 | See Release No. 33-8138 (Oct. 22, 2002) [67 FR 66208] and Release No. 33-8212 (Mar. 21, 2003) [68 FR 15600]. |
164 | See letters regarding File No. S7-40-02 of: AICPA; BDO; D&T; Emerson; E&Y; IPC; Intel; and NYCB-CCL. |
165 | See Intel letter regarding File No. S7-40-02. |
166 | Our estimates are based on information from with several large and small firms, accounting firms and trade and professional associations. |
167 | The estimates used in the releases proposing these rules were based on the number of filings that we received in fiscal year 2001. |
168 | We assumed the estimated burdens in the second and third years would decline by 75% from the first year estimate. |
169 | Our PRA estimates do not include any additional burdens or costs that a company will incur as a result of having to obtain an auditor's attestation report on management's internal control report because the PCAOB, rather than the Commission, is responsible for establishing the attestation standards and the Sarbanes-Oxley Act itself requires companies to obtain such an attestation. We have, however, included an estimated 0.5 hour burden in our revised annual burden estimates to account for the filing by the company of the attestation report. |
170 | The burden allocation for Forms 20-F and 40-F, however, use a 25% internal to 75% outside professional allocation to reflect the fact that foreign private issuers rely more heavily on outside professionals for the preparation of these forms. |
171 | While Section 906 of the Sarbanes-Oxley Act requires that certifications must accompany a periodic report, we are increasing our PRA burdens in view of the fact that the amendments explicitly require companies to furnish Section 906 certifications as exhibits to these reports. To date, companies have used various methods to fulfill their obligations under Section 906, and have not consistently submitted the certifications as part of the report. |
172 | Many registered management investment companies have multiple portfolios. However, they prepare separate financial statements for each portfolio. Thus, the burden of the Section 906 certifications is estimated on a portfolio basis rather than a registered management investment company basis. |
173 | This number represents the burden associated with the average number of portfolios per form. This number will vary for each registered management investment company depending on the number of portfolios. We estimate that the paperwork burden for each portfolio is one hour. |
174 | This estimate is based on the estimated total burden hours of 5,396,266, an assumed 75%/25% split of the burden hours between internal staff and external professionals, and an hourly rate of $200 for internal staff time and $300 for external professionals. The hourly cost estimate is based on consultations with several registrants and law firms and other persons who regularly assist registrants in preparing and filing periodic reports with the Commission. Our PRA estimate does not reflect any additional cost burdens that a company will incur as a result of having to obtain an auditor's attestation on management's internal control report. |
175 | This calculation is based on an estimate of burden hours multiplied by a cost of $200.00 per hour. (117,048 hours multiplied by $200.00 per hour). The hourly cost estimate is based on consultations with several registrants and law firms and other persons who regularly assist registrants in preparing and filing periodic reports with the Commission. |
176 | See ABA letter regarding File No. S7-06-03. |
177 | 5 U.S.C. 552 et seq. |
178 | 15 U.S.C. 78w(a)(2). |
179 | 15 U.S.C §77b(b). |
180 | 15 U.S.C. 78c(f). |
181 | 15 U.S.C. 80a-2(c). |
182 | 5 U.S.C. 601. |
183 | 5 U.S.C. 603. |
184 | 17 CFR 240.0-10(a). |
185 | 17 CFR 270.0-10. |
186 | This estimate is based on figures compiled by the Commission staff regarding investment companies registered on Forms N-1A, N-2 and N-3, which are required to file reports on Form N-CSR. |
187 | This estimate includes the burden for one annual report and three quarterly reports. |
188 | Under the method we used to estimate the PRA burdens associated with the Section 404 rules, we estimated that companies with less than $100 million in revenues would be subject to an added annual reporting burden of approximately 100 hours. |
189 | The estimated burden for one annual report and three quarterly reports. |
190 | See Beasley, Carcello and Hermanson, Fraudulent Financial Reporting: 1987-1997, An Analysis of U.S. Public Companies (Mar. 1999) (study commissioned by the Committee of Sponsoring Organizations of the Treadway Commission). |
191 | 17 CFR 240.12b-2. |
http://www.sec.gov/rules/final/33-8238.htm
Home | Previous Page | Modified: 08/28/2008 |