The Securities and Exchange Commission (“SEC” or “Commission”) disclaims responsibility for any private publication or statement of any SEC employee or Commissioner. This speech expresses the author’s views and does not necessarily reflect those of the Commission, the Commissioners, or other members of the staff.

Introduction

I would like to speak to you today about the need for companies’ internal control over financial reporting (“ICFR”) to adapt to change and share my thoughts about ways to design effective controls. Members of the SEC staff have spoken frequently about the importance of effective ICFR both at this conference and in other forums. Our focus on ICFR is based on our experience, long recognized in our securities laws,[1] that management's ability to produce reliable financial information for investors depends, in part, on the effectiveness of the company’s internal controls. However, we believe that there are benefits to approaching ICFR as more than just a compliance exercise. In addition to supporting reliable financial reporting, effective ICFR also promotes internal accountability and contributes to better information flows within the company which in turn can translate into greater investment efficiency and improved operating performance.[2]

ICFR in the Ever-Changing Environment

A key feature of an effective system of internal control is its ability to adapt timely to changes that, if not addressed, may impact the company’s ability to achieve its objectives. In the case of ICFR, the objective is defined, in part, as “to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP.”[3] That ability to adapt is important because internal control that is effective within one set of conditions may not necessarily be effective when those conditions change significantly.[4] This concept is recognized in Principle #9 of the COSO Framework, which is a part of the risk assessment component of internal control. It directs companies to identify and assess changes that could significantly impact their system of internal control. The COSO Framework further explains that this can be accomplished, in part, by establishing a process to identify and assess those internal and external factors that can significantly affect the company’s ability to achieve its objectives.[5] Furthermore, to the extent practicable, these mechanisms should be forward looking.[6]

One might ask, however, whether some companies sufficiently consider these adaptive mechanisms of Principle #9 in their ongoing risk assessment. This question arises, for example, when companies identify errors in their financial statements related to, so called, “significant, complex, or unusual transactions.” In those circumstances, it is important for management, audit committees, and auditors to ask why the company was not prepared to appropriately account for the particular transaction in accordance with GAAP. I believe that a thorough response to this question might indicate that, in addition to deficiencies in process-level controls that directly contributed to the misstatements, there may also exist, and indeed might have existed for a while, underlying deficiencies in the company’s risk assessment, including Principle #9, or other components of ICFR outside of control activities.[7] These underlying deficiencies may themselves represent material weaknesses.

Adoption of the new accounting standards for revenue, leases, and credit losses may be akin to a significant, complex, or unusual transaction for many companies and, like those transactions, it will put the design of companies’ ICFR to test. I believe that, if effective, the adaptive mechanisms considered in Principle #9 of the COSO Framework should help companies appropriately prepare for the adoption of the new standards and support timely informative transition disclosures.[8] They may also help management timely identify areas that may require designing new or revising existing controls to adequately address risks of material misstatement. Therefore, as companies work through their adoption of the new standards, management and auditors may identify information relevant to their evaluation of the effectiveness of the company’s existing risk assessment controls, including those described in Principle #9. If the evaluation identifies deficiencies that may affect the company’s financial reporting in the current period (e.g., related to significant, complex, or unusual transactions during the period or transition disclosures for the new accounting standards), such deficiencies need to be evaluated as to their severity and communicated to the company’s investors (if they rise to the level of a material weakness) or audit committee (if they represent significant deficiencies).

Principles of Effective Design of Controls

The need to reassess and possibly update internal controls in connection with the adoption of the new accounting standards has been a consistent theme of speeches and presentations by SEC staff over the past several years. We are aware that identifying relevant risks of material misstatement that may arise under the new accounting standards and designing appropriately responsive controls may not be an easy task. However, we believe that if done right, the foundation established will over time yield benefits of a more effective and efficient ICFR process.

Designing effective controls often requires significant judgment. This is particularly true with reference to complex controls that contain judgments related to management’s review. And while judgment about the design of a control can never be eliminated,[9] I believe there are certain considerations that can provide a useful road map to thinking through the design of a control and documenting it. Some of these considerations include:

• What is the objective of the control? Is it to respond to a specific financial reporting risk or rather to monitor the operation of other controls or the company’s overall operations?
• If the control is intended to respond to a specific financial reporting risk, what is that risk?
• What is the intended precision of the control and is it appropriate given the objective of the control, the level of aggregation of the data used in the control’s operation, and how frequently the control operates?
• If a threshold is used to identify items that may require further investigation, is the threshold appropriate and how will the items be followed-up on?
• Is the information used in the operation of the control complete and accurate?

Making and documenting these and other relevant considerations about a control’s design up-front has many potential benefits. Among others, it can facilitate consistent execution of the control over time. But it also has the potential to strengthen confidence in management’s judgments about its controls when ICFR is assessed by external parties, including auditors.

Conclusion

That concludes my prepared remarks. Thank you for your kind attention.