AGENCY:

Securities and Exchange Commission.

ACTION:

Final rule.

SUMMARY:

As directed by Section 404 of the Sarbanes-Oxley Act of 2002, we are adopting rules requiring companies subject to the reporting requirements of the Securities Exchange Act of 1934, other than registered investment companies, to include in their annual reports a report of management on the company's internal control over financial reporting. The internal control report must include: a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company; management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year; a statement identifying the framework used by management to evaluate the effectiveness of the company's internal control over financial reporting; and a statement that the registered public accounting firm that audited the company's financial statements included in the annual report has issued an attestation report on management's assessment of the company's internal control over financial reporting. Under the new rules, a company is required to file the registered public accounting firm's attestation report as part of the annual report. Furthermore, we are adding a requirement that management evaluate any change in the company's internal control over financial reporting that occurred during a fiscal quarter that has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting. Finally, we are adopting amendments to our rules and forms under the Securities Exchange Act of 1934 and the Investment Company Act of 1940 to revise the Section 302 certification requirements and to require issuers to provide the certifications required by Sections 302 and 906 of the Sarbanes-Oxley Act of 2002 as exhibits to certain periodic reports.

DATES:

Effective Date: August 14, 2003.

Compliance Dates: The following compliance dates apply to companies other than registered investment companies. A company that is an “accelerated filer,” as defined in Exchange Act Rule 12b-2, as of the end of its first fiscal year ending on or after June 15, 2004, must begin to comply with the management report on internal control over financial reporting disclosure requirements in its annual report for that fiscal year. A company that is not an accelerated filer as of the end of its first fiscal year ending on or after June 15, 2004, including a foreign private issuer, must begin to comply with the annual internal control report for its first fiscal year ending on or after April 15, 2005. A company must begin to comply with the requirements regarding evaluation of any material change to its internal control over financial reporting in its first periodic report due after the first annual report required to include a management report on internal control over financial reporting. Companies may voluntarily comply with the new disclosure requirements before the compliance dates. A company must comply with the new exhibit requirements for the certifications required by Sections 302 and 906 of the Sarbanes-Oxley Act of 2002 and changes to the Section 302 certification requirements in its quarterly, semi-annual or annual report due on or after August 14, 2003. To account for the differences between the compliance date of the rules relating to internal control over financial reporting and the effective date of changes to the language of the Section 302 certification, a company's certifying officers may temporarily modify the content of their Section 302 certifications to eliminate certain references to internal control over financial reporting until the compliance date, as further explained in Section III.E. below.

Registered investment companies must comply with the rule and form amendments applicable to them on and after August 14, 2003, except as follows. Registered investment companies must comply with the amendments to Exchange Act Rules 13a-15(a) and 15d-15(a) and Investment Company Act Rule 30a-3(a) that require them to maintain internal control over financial reporting with respect to fiscal years ending on or after June 15, 2004. In addition, a registered investment company's certifying officers may temporarily modify the content of their Section 302 certifications to eliminate certain references to internal control over financial reporting, as further explained in Section II.I. below. Registered investment companies may voluntarily comply with the rule and form amendments before the compliance dates.

FOR FURTHER INFORMATION CONTACT:

N. Sean Harrison, Special Counsel, or Andrew D. Thorpe, Special Counsel, Division of Corporation Finance, at (202) 942-2910, or with respect to registered investment companies, Christian Broadbent, Senior Counsel, Division of Investment Management, at (202) 942-0721, or with respect to attestation and auditing issues, Edmund Bailey, Assistant Chief Accountant, Randolph P. Green, Professional Accounting Fellow, or Paul Munter, Academic Accounting Fellow, Office of the Chief Accountant, at (202) 942-4400, U.S. Securities and Exchange Commission, 450 Fifth Street, NW., Washington, DC 20549.

SUPPLEMENTARY INFORMATION:

We are revising Items 307, 401 and 601 of Regulations S-B ^[1] and S-K; ^[2] adding new Item 308 to Regulations S-B and S-K; amending Form 10-K,^[3] Form 10-KSB,^[4] Form 10-Q,^[5] Form 10-QSB,^[6] Form 20-F,^[7] Form 40-F,^[8] Rule 12b-15,^[9] Rule 13a-14,^[10] Rule 13a-15,^[11] Rule 15d-14 ^[12] and Rule 15d-15 ^[13] under the Securities Exchange Act of 1934 (the “Exchange Act”); ^[14] amending Rules 1-02 and 2-02 ^[15] of Regulation S-X; ^[16] amending Rules 8b-15,^[17] 30a-2 ^[18] and 30a-3 ^[19] under the Investment Company Act of 1940 (“Investment Company Act”); ^[20] and amending Forms N-CSR ^[21] and N-SAR ^[22] under the Exchange Act and the Investment Company Act.

Table of Contents

I. Background Start Printed Page 36637

A. Management's Report on Internal Control over Financial Reporting

B. Certifications

II. Discussion of Amendments Implementing Section 404

A. Definition of Internal Control

1. Proposed Rule

2. Comments on the Proposal

3. Final Rules

B. Management's Annual Assessment of, and Report on, the Company's Internal Control over Financial Reporting

1. Proposed Rule

2. Comments on the Proposal

3. Final Rules

a. Evaluation of Internal Control over Financial Reporting

b. Auditor Independence Issues

c. Material Weaknesses in Internal Control over Financial Reporting

d. Method of Evaluating

e. Location of Management's Report

C. Quarterly Evaluations of Internal Control over Financial Reporting

1. Proposed Rule

2. Comments on the Proposal

3. Final Rules

D. Differences between Internal Control over Financial Reporting and Disclosure Controls and Procedures

E. Evaluation of Disclosure Controls and Procedures

F. Periodic Disclosure about the Certifying Officers' Evaluation of the Company's Disclosure Controls and Procedures and Disclosure about Changes to its Internal Control over Financial Reporting

1. Existing Disclosure Requirements

2. Proposed Amendments to the Disclosure Requirements

3. Final Disclosure Requirements

4. Conclusions Regarding Effectiveness of Disclosure Controls and Procedures

G. Attestation to Management's Internal Control Report by the Company's Registered Public Accounting Firm

H. Types of Companies Affected

1. Foreign Private Issuers

2. Asset-Backed Issuers

3. Small Business Issuers

4. Bank and Thrift Holding Companies

I. Registered Investment Companies

J. Transition Period

III. Discussion of Amendments Related to Certifications

A. Proposed Rules

B. Final Rules

C. Effect on Interim Guidance Regarding Filing Procedures

D. Form of Section 302 Certifications

E. Transition Period

IV. Paperwork Reduction Act

V. Cost-Benefit Analysis

VI. Effect on Efficiency, Competition and Capital Formation

VII. Final Regulatory Flexibility Analysis

VIII. Statutory Authority and Text of Rule Amendments

I. Background

A. Management's Report on Internal Control Over Financial Reporting

In this release, we implement Section 404 of the Sarbanes-Oxley Act of 2002 (the “Sarbanes-Oxley Act”),^[23] which requires us to prescribe rules requiring each annual report that a company, other than a registered investment company,^[24] files pursuant to Section 13(a) or 15(d) of the Exchange Act to contain an internal control report: (1) Stating management's responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) containing an assessment, as of the end of the company's most recent fiscal year, of the effectiveness of the company's internal control structure and procedures for financial reporting. Section 404 also requires every registered public accounting firm that prepares or issues an audit report on a company's annual financial statements to attest to, and report on, the assessment made by management. The attestation must be made in accordance with standards for attestation engagements issued or adopted by the Public Company Accounting Oversight Board (“PCAOB”).^[25] Section 404 further stipulates that the attestation cannot be the subject of a separate engagement of the registered public accounting firm.

We received over 200 comment letters in response to our release proposing requirements to implement Sections 404, 406 and 407 of the Sarbanes-Oxley Act.^[26] Of these, 61 respondents commented on the Section 404 proposals.^[27] These comment letters came from corporations, professional associations, accountants, law firms, consultants, academics, investors and others. In general, the commenters supported the objectives of the proposed new requirements. Investors supported the manner in which we proposed to achieve these objectives and, in some cases, urged us to require additional disclosure from companies. Other commenters, however, thought that we were requiring more disclosure than necessary to fulfill the mandates of the Sarbanes-Oxley Act and suggested modifications to the proposals. We have reviewed and considered all of the comments that we received on the proposals. The adopted rules reflect many of these comments—we discuss our conclusions with respect to each topic and related comments in more detail throughout the release.

B. Certifications

We also are adopting amendments to require companies to file the certifications mandated by Sections 302 and 906 of the Sarbanes-Oxley Act as exhibits to annual, semi-annual and quarterly reports. Section 302 required the Commission to adopt final rules that were to be effective by August 29, 2002, under which the principal executive and principal financial officers, or persons performing similar functions, of a company filing periodic reports under Section 13(a) or 15(d) of the Exchange Act ^[28] must provide a certification in Start Printed Page 36638each quarterly and annual report filed with the Commission. Section 906 of the Sarbanes-Oxley Act added new Section 1350 to Title 18 of the United States Code,^[29] which contains a certification requirement subject to specific federal criminal provisions and that is separate and distinct from the certification requirement mandated by Section 302.^[30] On August 28, 2002, we adopted Exchange Act Rules 13a-14 and 15d-14 and Investment Company Act Rule 30a-2 and amended our periodic report forms to implement the statutory directive in Section 302.^[31] These rules and amendments became effective on August 29, 2002. On January 27, 2003, we adopted Form N-CSR to be used by registered management investment companies to file certified shareholder reports with the Commission.^[32] The provisions added to Title 18 by Section 906 were by their terms effective on enactment of the Sarbanes-Oxley Act.

To enhance the ability of interested parties to effectively access the certifications through our Electronic Data Gathering, Analysis and Retrieval (“EDGAR”) system and thereby enhance compliance with the certification requirements, we proposed to amend our rules and forms to require a company to file the certifications as an exhibit to the periodic reports to which they relate.^[33] The proposals addressed both Section 302 and 906 certifications. After discussions with the Department of Justice, we concluded that, in light of the inconsistent methods that companies have been employing to fulfill their obligations under Section 906,^[34] an exhibit requirement would consistently enable investors and the Commission staff, as well as the Department of Justice, to more effectively monitor compliance with this certification requirement.

II. Discussion of Amendments Implementing Section 404

A. Definition of Internal Control

1. Proposed Rule

The proposed rules would have defined the term “internal controls and procedures for financial reporting” ^[35] to mean controls that pertain to the preparation of financial statements for external purposes that are fairly presented in conformity with generally accepted accounting principles as addressed by the Codification of Statements on Auditing Standards § 319 or any superseding definition or other literature that is issued or adopted by the Public Company Accounting Oversight Board.

As noted in the Proposing Release, there has been some confusion over the exact meaning and scope of the term “internal control,” because the definition of the term has evolved over time. Historically, the term “internal control” was applied almost exclusively within the accounting profession.^[36] As the auditing of financial statements evolved from a process of detailed testing of transactions and account balances towards a process of sampling and testing, greater consideration of a company's internal controls became necessary in planning an audit.^[37] If an internal control component had been adequately designed, then the auditor could limit further consideration of that control to procedures to determine whether the control had been placed in operation. Accordingly, the auditor could rely on the control to serve as a basis to reduce the amount, timing or extent of substantive testing in the execution of an audit. Conversely, if an auditor determined that an internal control component was inadequate in its design or operation, then the auditor could not rely upon that control. In this instance, the auditor would conduct tests of transactions and perform additional analyses in order to accumulate sufficient, competent audit evidence to support its opinion on the financial statements.

From the outset, it was recognized that internal control is a broad concept that extends beyond the accounting functions of a company. Early attempts to define the term focused primarily on clarifying the portion of a company's internal control that an auditor should consider when planning and performing an audit of a company's financial statements.^[38] However, this did not improve the level of understanding of the term, nor satisfactorily provide the guidance sought by auditors. Successive definitions and formal studies of the concept of internal control followed.

In 1977, based on recommendations of the Commission, Congress enacted the Foreign Corrupt Practices Act (“FCPA”).^[39] The FCPA codified the accounting control provisions contained in Statement of Auditing Standards No. 1 (codified as AU § 320 in the Codification of Statements on Auditing Standards). Under the FCPA, companies that have a class of securities registered under Section 12 of the Exchange Act, or that are required to file reports under Section 15(d) of the Exchange Act, are required to devise and maintain a Start Printed Page 36639system of internal accounting controls sufficient to provide reasonable assurances that:

• transactions are executed in accordance with management's general or specific authorization;
• transactions are recorded as necessary (1) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (2) to maintain accountability for assets;
• access to assets is permitted only in accordance with management's general or specific authorization; and
• the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.^[40]

In 1985, a private-sector initiative known as the National Commission on Fraudulent Financial Reporting, also known as the Treadway Commission, was formed to study the financial reporting system in the United States. In 1987, the Treadway Commission issued a report recommending that its sponsoring organizations work together to integrate the various internal control concepts and definitions and to develop a common reference point.

In response, the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) ^[41] undertook an extensive study of internal control to establish a common definition that would serve the needs of companies, independent public accountants, legislators and regulatory agencies, and to provide a broad framework of criteria against which companies could evaluate the effectiveness of their internal control systems. In 1992, COSO published its Internal Control—Integrated Framework.^[42] The COSO Framework defined internal control as “a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives” in three categories—effectiveness and efficiency of operations; reliability of financial reporting; and compliance with applicable laws and regulations. COSO further stated that internal control consists of: the control environment, risk assessment, control activities, information and communication, and monitoring. The scope of internal control therefore extends to policies, plans, procedures, processes, systems, activities, functions, projects, initiatives, and endeavors of all types at all levels of a company.

In 1995, the AICPA incorporated the definition of internal control set forth in the COSO Report in Statement on Auditing Standards No. 78 (codified as AU § 319 in the Codification of Statements on Auditing Standards).^[43] Although we recognized that the AU § 319 definition was derived from the COSO definition, our proposal referred to AU § 319 because we thought that the former constituted a more formal and widely-accessible version of the definition than the latter.

2. Comments on the Proposal

We received comments from 25 commenters on the proposed definition of “internal control and procedures for financial reporting.” Eleven commenters stated that the proposed definition of internal control was appropriate or generally agreed with the proposal.^[44] Two of these noted that the definition in AU § 319 had been adopted by the bank regulatory agencies for use by banking institutions.^[45] Fourteen of the 25 commenters opposed the proposed definition. Two of these asserted that the proposed definition was too complex and would not resolve the confusion that existed over the meaning or scope of the term.

Several of the commenters that were opposed to the proposed definition thought that we should refer to COSO for the definition of internal control, rather than AU § 319.^[46] Some of these commenters noted that the objective of AU § 319 is to provide guidance to auditors regarding their consideration of internal control in planning and performing an audit of financial statements. The common concern of these commenters was that AU § 319 does not provide any measure or standard by which a company's management can determine that internal control is effective, nor does it define what constitutes effective internal control. One commenter believed that absent such evaluative criteria or definition of effectiveness, the proposed rules could not be implemented effectively.^[47] In addition, several of the commenters opposed to the proposed definition suggested that we use the term “internal control over financial reporting” rather than the term “internal controls and procedures for financial reporting,”^[48] on the ground that the former is more consistent with the terminology currently used within the auditing literature.

A few of the commenters urged us to adopt a considerably broader definition of internal control that would focus not only on internal control over financial reporting, but also on internal control objectives associated with enterprise risk management and corporate governance. While we agree that these are important objectives, the definition that we are adopting retains a focus on financial reporting, consistent with our position articulated in the Proposing Release. We are not adopting a more expansive definition of internal control for a variety of reasons. Most important, we believe that Section 404 focuses on the element of internal control that relates to financial reporting. In addition, many commenters indicated that even the more limited definition related to financial reporting that we proposed will impose substantial reporting and cost burdens on companies. Finally, independent accountants traditionally have not been responsible for reviewing and testing, or attesting to an assessment by management of, internal controls that Start Printed Page 36640are outside the boundary of financial reporting.

3. Final Rules

After consideration of the comments, we have decided to make several modifications to the proposed amendments. We agree that we should use the term “internal control over financial reporting” in our amendments to implement Section 404, as well as our revisions to the Section 302 certification requirements and forms of certification.^[49] Rapidly changing terminology has been one obstacle in the development of an accepted understanding of internal control. The term “internal control over financial reporting” is the predominant term used by companies and auditors and best encompasses the objectives of the Sarbanes-Oxley Act. In addition, by using this term, we avoid having to familiarize investors, companies and auditors with new terminology, which should lessen any confusion that may exist about the meaning and scope of internal control.

The final rules define “internal control over financial reporting” as:

A process designed by, or under the supervision of, the registrant's principal executive and principal financial officers, or persons performing similar functions, and effected by the registrant's board of directors,^[50] management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:

(1) Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the registrant;

(2) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the registrant are being made only in accordance with authorizations of management and directors of the registrant; and

(3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant's assets that could have a material effect on the financial statements.^[51]

We recognize that our definition of the term “internal control over financial reporting” reflected in the final rules encompasses the subset of internal controls addressed in the COSO Report that pertains to financial reporting objectives. Our definition does not encompass the elements of the COSO Report definition that relate to effectiveness and efficiency of a company's operations and a company's compliance with applicable laws and regulations, with the exception of compliance with the applicable laws and regulations directly related to the preparation of financial statements, such as the Commission's financial reporting requirements.^[52] Our definition is consistent with the description of internal accounting controls in Exchange Act Section 13(b)(2)(B).^[53]

Following the general language defining internal control over financial reporting, clauses (1) and (2) include the internal control matters described in Section 103 of the Sarbanes-Oxley Act that the company's registered public accounting firm is required to evaluate in its audit or attestation report.^[54] This language is included to make clear that the assessment of management in its internal control report as to which the company's registered public accounting firm will be required to attest and report specifically covers the matters referenced in Section 103. A few commenters believed that it would cause confusion if the definition of internal control did not acknowledge the objectives set forth in Section 103 of the Sarbanes-Oxley Act. As discussed in Section II.G below, the PCAOB is responsible for establishing the Section 103 standards.

Our definition also includes, in clause (3), explicit reference to assurances regarding use or disposition of the company's assets. This provision is specifically included to make clear that, for purposes of our definition, the safeguarding of assets is one of the elements of internal control over financial reporting and it addresses the supplementation of the COSO Framework after it was originally promulgated. In the absence of our change to the definition, the determination of whether control regarding the safeguarding of assets falls within a company's internal control over financial reporting currently could be subject to varying interpretation.

Safeguarding of assets had been a primary objective of internal accounting control in SAS No. 1. In 1988, the ASB issued Statement of Auditing Standards No. 55 (codified as AU § 319 in the Codification of Statements on Auditing Standards), which replaced AU § 320. SAS No. 55 revised the definition of “internal control” and expanded auditors' responsibilities for considering internal control in a financial statement audit. The prior classification of internal control into the two categories of “internal accounting control” and “administrative control” was replaced with the single term “internal control structure,” which consisted of three interrelated components—control environment, the accounting system and control procedures. Under this new Start Printed Page 36641definition, the safeguarding of assets was no longer a primary objective, but a subset of the control procedures component.^[55] The COSO Report followed this shift in the iteration of safeguarding of assets. The COSO Report states that operations objectives “pertain to effectiveness and efficiency of the entity's operations, including performance and profitability goals and safeguarding resources against loss.” ^[56] However, the report also clarifies that safeguarding of assets can fall within other categories of internal control.^[57]

In 1994, COSO published an addendum to the Reporting to External Parties volume of the COSO Report. The addendum was issued in response to a concern expressed by some parties, including the U.S. General Accounting Office, that the management reports contemplated by the COSO Report did not adequately address controls relating to safeguarding of assets and therefore would not fully respond to the requirements of the FCPA.^[58] In the addendum, COSO concluded that while it believed its definition of internal control in its 1992 report remained appropriate, it recognized that the FCPA encompasses certain controls related to safeguarding of assets and that there is a reasonable expectation on the part of some readers of management's internal control reports that the reports will cover such controls. The addendum therefore sets forth the following definition of the term “internal control over safeguarding of assets against unauthorized acquisition, use or disposition”:

Internal control over safeguarding of assets against unauthorized acquisition, use or disposition is a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the entity's assets that could have a material effect on the financial statements.

As indicated above, to achieve the desired result and to provide consistency with COSO's 1994 addendum, we have incorporated this definition into our definition of “internal control over financial reporting.” We are persuaded that this is appropriate given the fact that our definition will be used for purposes of public management reporting, and that the companies that will be subject to the Section 404 requirements also are subject to the FCPA requirements. So, under the final rules, safeguarding of assets as provided is specifically included in our definition of “internal control over financial reporting.”

B. Management's Annual Assessment of, and Report on, the Company's Internal Control Over Financial Reporting

1. Proposed Rule

We proposed to amend Item 307 of Regulations S-K and S-B, as well as Forms 20-F and 40-F, to require a company's annual report to include an internal control report of management containing:

• A statement of management's responsibility for establishing and maintaining adequate internal controls and procedures for financial reporting;
• The conclusions of management about the effectiveness of the company's internal controls and procedures for financial reporting based on management's evaluation of those controls and procedures; and
• A statement that the registered public accounting firm that prepared or issued the company's audit report relating to the financial statements included in the company's annual report has attested to, and reported on, management's evaluation of the company's internal controls and procedures for financial reporting.

The proposed amendments did not list any additional disclosure requirements for the management report, but rather would have afforded management the flexibility to tailor the report to fit its company's particular circumstances.

2. Comments on the Proposal

We received comments from 17 commenters on our proposed annual internal control report requirements. All of these commenters believed, in varying degrees, that we should set forth additional disclosure criteria or standards for the management report. Nine commenters stated that we should provide guidance as to the topics to be addressed in the management report, or specify standards or a common set of internal control objectives to be considered by management when assessing the effectiveness of its company's internal control over financial reporting to ensure that control objectives are addressed in a consistent fashion.^[59] These commenters believed that consistent standards for management's report on internal control would help investors to understand and compare the quality of various management internal control reports.

Several commenters also thought that we should require management's internal control report to include certain recitations that would parallel recitations that the registered public accounting firm would have to make in its report attesting to management's assessment.^[60] Additional commenters believed that the management report on internal control should specifically reference the objectives contained in Section 103 of the Sarbanes-Oxley Act.^[61] Furthermore, although Section 404(b) of the Sarbanes-Oxley Act does not explicitly direct us to require companies to file the registered public accounting firms' attestation reports as part of the companies' annual report filings, we proposed a filing Start Printed Page 36642requirement that most of those commenting on this aspect of the proposal supported.

3. Final Rules

After evaluating the comments received, we are adopting the proposals with several modifications. The final rules require a company's annual report to include an internal control report of management that contains:

• A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company;
• A statement identifying the framework used by management to conduct the required evaluation of the effectiveness of the company's internal control over financial reporting;
• Management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year, including a statement as to whether or not the company's internal control over financial reporting is effective.^[62] The assessment must include disclosure of any “material weaknesses” ^[63] in the company's internal control over financial reporting identified by management. Management is not permitted to conclude that the company's internal control over financial reporting is effective if there are one or more material weaknesses in the company's internal control over financial reporting; and

• A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management's assessment of the registrant's internal control over financial reporting.^[64]

As proposed, our final rules also require a company to file, as part of the company's annual report, the attestation report of the registered public accounting firm that audited the company's financial statements.

a. Evaluation of Internal Control Over Financial Reporting

In the Proposing Release, we requested comment on whether we should establish specific evaluative criteria for management's report on internal control. All of the commenters responding to this request supported the establishment of such evaluative criteria in order to improve comparability among the standards used by companies to conduct their annual internal control evaluations.^[65] Several commenters believed that we either should adopt the COSO Framework as the means by which management must evaluate its company's internal control over financial reporting or, alternatively, simply acknowledge the COSO Framework as being suitable for purposes of management's evaluation. Other commenters suggested that we require management to evaluate the effectiveness of a company's internal control over financial reporting using suitable control criteria established by a group that follows due process procedures.

After consideration of the comments, we have modified the final requirements to specify that management must base its evaluation of the effectiveness of the company's internal control over financial reporting on a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment.^[66]

The COSO Framework satisfies our criteria and may be used as an evaluation framework for purposes of management's annual internal control evaluation and disclosure requirements. However, the final rules do not mandate use of a particular framework, such as the COSO Framework, in recognition of the fact that other evaluation standards exist outside of the United States,^[67] and that frameworks other than COSO may be developed within the United States in the future, that satisfy the intent of the statute without diminishing the benefits to investors. The use of standard measures that are publicly available will enhance the quality of the internal control report and will promote comparability of the internal control reports of different companies. The final rules require management's report to identify the evaluation framework used by management to assess the effectiveness of the company's internal control over financial reporting.^[68]

Specifically, a suitable framework must: be free from bias; permit reasonably consistent qualitative and quantitative measurements of a company's internal control; be sufficiently complete so that those relevant factors that would alter a conclusion about the effectiveness of a company's internal controls are not omitted; and be relevant to an evaluation of internal control over financial reporting.^[69]

b. Auditor Independence Issues

Because the auditor is required to attest to management's assessment of internal control over financial reporting, management and the company's independent auditors will need to coordinate their processes of documenting and testing the internal controls over financial reporting. However, we remind companies and their auditors that the Commission's rules on auditor independence prohibit an auditor from providing certain nonaudit services to an audit client.^[70] As the Commission stated in its auditor independence release, auditors may assist management in documenting internal controls. When the auditor is engaged to assist management in documenting internal controls, management must be actively involved in the process. We understand the need for coordination between management and the auditor, however, we remind companies and auditors that management cannot delegate its responsibility to assess its internal controls over financial reporting to the auditor.^[71] The rules adopted today do Start Printed Page 36643not amend the Commission's rules on auditor independence.

c. Material Weaknesses in Internal Control Over Financial Reporting

In the Proposing Release, we did not propose any specific standard on which management would base its conclusion that the company's internal control over financial reporting is effective. We requested comment on whether we should prescribe specific standards upon which an effectiveness determination would be based, and also what standards we should consider. Several commenters agreed that the final rules should specify standards, and all believed that the existence of a material weakness in internal control over financial eporting should preclude a conclusion by management that a registrant's internal control over financial reporting is effective. We have considered these comments, and agree that the rules should set forth this threshold for concluding that a company's internal control over financial reporting is effective.

The final rules therefore preclude management from determining that a company's internal control over financial reporting is effective if it identifies one or more material weaknesses in the company's internal control over financial reporting.^[72] For purposes of the final rules, the term “material weakness” has the same meaning as in the definition under GAAS and attestation standards.^[73] The final rules also specify that management's report must include disclosure of any “material weakness” in the company's internal control over financial reporting identified by management in the course of its evaluation.^[74]

d. Method of Evaluating

Many commenters addressed the method of evaluating internal control over financial reporting, and some sought additional precision or guidance regarding the extent of evaluation, including the documentation required.^[75] The methods of conducting evaluations of internal control over financial reporting will, and should, vary from company to company. Therefore, the final rules do not specify the method or procedures to be performed in an evaluation. However, in conducting such an evaluation and developing its assessment of the effectiveness of internal control over financial reporting, a company must maintain evidential matter, including documentation, to provide reasonable support for management's assessment of the effectiveness of the company's internal control over financial reporting. Developing and maintaining such evidential matter is an inherent element of effective internal controls.^[76] An instruction to new Item 308 of Regulations S-K and S-B and Forms 20-F and 40-F reminds registrants to maintain such evidential matter.^[77]

The assessment of a company's internal control over financial reporting must be based on procedures sufficient both to evaluate its design and to test its operating effectiveness. Controls subject to such assessment include, but are not limited to: controls over initiating, recording, processing and reconciling account balances, classes of transactions and disclosure and related assertions included in the financial statements; controls related to the initiation and processing of non-routine and non-systematic transactions; controls related to the selection and application of appropriate accounting policies; and controls related to the prevention, identification, and detection of fraud. The nature of a company's testing activities will largely depend on the circumstances of the company and the significance of the control. However, inquiry alone generally will not provide an adequate basis for management's assessment.^[78]

An assessment of the effectiveness of internal control over financial reporting must be supported by evidential matter, including documentation, regarding both the design of internal controls and the testing processes. This evidential matter should provide reasonable support: for the evaluation of whether the control is designed to prevent or detect material misstatements or omissions; for the conclusion that the tests were appropriately planned and performed; and that the results of the tests were appropriately considered. The public accounting firm that is required to attest to, and report on, management's assessment of the effectiveness of the company's internal control over financial reporting also will require that the company develop and maintain such evidential matter to support management's assessment.^[79]

e. Location of Management's Report

Although the final rules do not specify where management's internal control report must appear in the company's annual report, we think it is important for management's report to be in close proximity to the corresponding attestation report issued by the company's registered public accounting firm. We expect that many companies will choose to place the internal control report and attestation report near the companies' MD&A disclosure or in a portion of the document immediately preceding the companies' financial statements.

C. Quarterly Evaluations of Internal Control Over Financial Reporting

1. Proposed Rule

We proposed to require a company's certifying officers to evaluate the effectiveness of the company's internal controls and procedures for financial reporting as of the end of the period covered by each annual and quarterly Start Printed Page 36644report that the company is required to file under the Exchange Act. The company's certifying officers already are required to evaluate the effectiveness of the company's disclosure controls and procedures on a quarterly basis.^[80] We noted that a quarterly evaluation requirement with respect to internal controls would create symmetry between our requirements for periodic evaluations of both the company's disclosure controls and procedures and its internal controls and procedures for financial reporting, and give effect to the language in the Section 302 certification requirements regarding quarterly internal control evaluations.

2. Comments on the Proposal

We received responses from 25 commenters on the proposed amendments. Of the 25 commenters, four supported the proposal to require quarterly evaluations of internal controls and procedures for financial reporting.^[81] One commenter specifically concurred with our objective of creating symmetry between the requirements to conduct periodic evaluations of both the company's disclosure controls and procedures and its internal controls and procedures for financial reporting.^[82]

Twenty-one commenters opposed quarterly evaluations of internal controls.^[83] Many of these believed that quarterly evaluations would impose substantial additional costs on companies without producing any incremental benefit to investors. One individual stated that the proper evaluation of a company's system of internal controls is a weighty and time-consuming process.^[84] Twelve of the commenters opposed to quarterly evaluations indicated that quarterly evaluations of all aspects of internal controls and procedures would be extremely burdensome, expensive and difficult to perform under the time constraints of quarterly reporting, particularly as the accelerated filing deadlines for quarterly reports take effect.^[85] Several other commenters argued that we should not go beyond the requirements of Section 404 of the Sarbanes-Oxley Act with respect to the frequency of internal control reporting without an adequate basis for doing so.^[86] These commenters remarked that such a decision would be better made after we have had sufficient experience with the Section 302 certification requirements adopted in August of 2002.

Several commenters suggested alternatives to quarterly evaluations. Five commenters stated that it would be more appropriate and desirable if companies were required to make quarterly disclosure only of material changes to their internal control that occurred subsequent to management's most recent annual internal control evaluation.^[87] Two other commenters similarly recommended that the quarterly evaluation be less rigorous than the annual evaluation.^[88] One commenter stated that we should instead adopt an approach that requires less effort and assurance for purposes of quarterly reports, such as permitting companies to test compliance with controls relating to major applications on a rotating basis throughout the year.^[89] This commenter further stated that the objective of the quarterly evaluation should be to identify changes in controls during the quarter and evaluate whether they would change the certifying officers' conclusions about disclosure controls and internal controls as stated in the most recent annual report. The other commenter, although opposed to any quarterly evaluation requirement, believed that if we did require it, the quarterly evaluation should be viewed as an update of the annual evaluation, just as the quarterly report on Form 10-Q is an update of the annual report on Form 10-K.^[90] One commenter stated that if we require some form of quarterly certification, it should be limited to negative assurance that nothing has come to the certifying officers' attention since the prior year's evaluation to suggest that the controls are no longer effective.^[91]

3. Final Rules

After consideration of the comments received, we have decided not to require quarterly evaluations of internal control over financial reporting that are as extensive as the annual evaluation. We recognize that some controls operate continuously while others operate only at certain times, such as the end of the fiscal year. We believe that each company should be afforded the flexibility to design its system of internal control over financial reporting to fit its particular circumstances. The management of each company should perform evaluations of the design and operation of the company's entire system of internal control over financial reporting over a period of time that is adequate for it to determine whether, as of the end of the company's fiscal year, the design and operation of the company's internal control over financial reporting are effective.

Accordingly, we are adopting amendments that require a company's management, with the participation of the principal executive and financial officers, to evaluate any change in the company's internal control over financial reporting that occurred during a fiscal quarter that has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting. We also have adopted a modification to the Section 302 certification requirement and our disclosure requirements to adopt this approach, as discussed below.

The management of a foreign private issuer that has Exchange Act reporting obligations must also, like its domestic counterparts, report any material changes to the issuer's internal control over financial reporting. However, because foreign private issuers are not required to file quarterly reports under Section 13(a) or 15(d) of the Exchange Act, the final rules clarify that a foreign private issuer's management need only disclose in the issuer's annual report the material changes to its internal control over financial reporting that have occurred in the period covered by the annual report.^[92]

D. Differences Between Internal Control Over Financial Reporting and Disclosure Controls and Procedures

Many of the commenters on the Proposing Release indicated that they Start Printed Page 36645were confused as to the differences between a company's disclosure controls and procedures and a company's internal control over financial reporting. Exchange Act Rule 13a-15(d) defines “disclosure controls and procedures” to mean controls and procedures of a company that are designed to ensure that information required to be disclosed by the company in the reports that it files or submits under the Exchange Act is recorded, processed, summarized and reported, within the time periods specified in the Commission's rules and forms. The definition further states that disclosure controls and procedures include, without limitation, controls and procedures designed to ensure that the information required to be disclosed by a company in the reports that it files or submits under the Exchange Act is accumulated and communicated to the company's management, including its principal executive and principal financial officers, or persons performing similar functions, as appropriate to allow timely decisions regarding required disclosure.

While there is substantial overlap between a company's disclosure controls and procedures and its internal control over financial reporting, there are both some elements of disclosure controls and procedures that are not subsumed by internal control over financial reporting and some elements of internal control that are not subsumed by the definition of disclosure controls and procedures.

With respect to the latter point, clearly, the broad COSO description of internal control, which includes the efficiency and effectiveness of a company's operations and the company's compliance with laws and regulations (not restricted to the federal securities laws), would not be wholly subsumed within the definition of disclosure controls and procedures. A number of commenters suggested that the narrower concept of internal control, involving internal control over financial reporting, is a subset of a company's disclosure controls and procedures, given that the maintenance of reliable financial reporting is a prerequisite to a company's ability to submit or file complete disclosure in its Exchange Act reports on a timely basis. This suggestion focuses on the fact that the elements of internal control over financial reporting requiring a company to have a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles can be viewed as a subset of disclosure controls and procedures.

We agree that some components of internal control over financial reporting will be included in disclosure controls and procedures for all companies. In particular, disclosure controls and procedures will include those components of internal control over financial reporting that provide reasonable assurances that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles. However, in designing their disclosure controls and procedures, companies can be expected to make judgments regarding the processes on which they will rely to meet applicable requirements. In doing so, some companies might design their disclosure controls and procedures so that certain components of internal control over financial reporting pertaining to the accurate recording of transactions and disposition of assets or to the safeguarding of assets are not included. For example, a company might have developed internal control over financial reporting that includes as a component of safeguarding of assets dual signature requirements or limitations on signature authority on checks. That company could nonetheless determine that this component is not part of disclosure controls and procedures. We therefore believe that while there is substantial overlap between internal control over financial reporting and disclosure controls and procedures, many companies will design their disclosure controls and procedures so that they do not include all components of internal control over financial reporting.

E. Evaluation of Disclosure Controls and Procedures

The rules in place starting in August 2002 requiring quarterly evaluations of disclosure controls and procedures and disclosure of the conclusions regarding effectiveness of disclosure controls and procedures have not been substantively changed since their adoption, including in the rules that we adopt today. These evaluation and disclosure requirements will continue to apply to disclosure controls and procedures, including the elements of internal control over financial reporting that are subsumed within disclosure controls and procedures.

With respect to evaluations of disclosure controls and procedures, companies must, under our rules and consistent with the Sarbanes-Oxley Act, evaluate the effectiveness of those controls and procedures on a quarterly basis. While the evaluation is of effectiveness overall, a company's management has the ability to make judgments (and it is responsible for its judgments) that evaluations, particularly quarterly evaluations, should focus on developments since the most recent evaluation, areas of weakness or continuing concern or other aspects of disclosure controls and procedures that merit attention. Finally, the nature of the quarterly evaluations of those components of internal control over financial reporting that are subsumed within disclosure controls and procedures should be informed by the purposes of disclosure controls and procedures.^[93]

The rules adopted in August 2002 required the management of an Exchange Act reporting foreign private issuer to evaluate and disclose conclusions regarding the effectiveness of the issuer's disclosure controls and procedures only in its annual report and not on a quarterly basis. The primary reason for this treatment is because foreign private issuers are not subject to mandated quarterly reporting requirements under the Exchange Act. The rules adopted today continue this treatment.^[94]

F. Periodic Disclosure About the Certifying Officers' Evaluation of the Company's Disclosure Controls and Procedures and Disclosure About Changes to its Internal Control Over Financial Reporting

1. Existing Disclosure Requirements

The rules that we adopted in August 2002 to implement the certification requirements of Section 302 of the Sarbanes-Oxley Act included new Item 307 of Regulations S-B and S-K. Paragraph (a) of Item 307 requires companies, in their quarterly and annual reports, to disclose the conclusions of the company's principal executive and financial officers (or persons performing similar functions) about the effectiveness of the company's disclosure controls and procedures as of a date within 90 days of the filing date of the quarterly or annual report. This disclosure enables the certifying officers to satisfy the representation made in Start Printed Page 36646their certifications that they have “presented in the quarterly or annual report their conclusions about the effectiveness of the disclosure controls and procedures based on their evaluation.”

Paragraph (b) of Item 307 requires the company to disclose in each quarterly and annual report whether or not there were significant changes in the company's internal controls or in other factors that could significantly affect these controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses. This disclosure enables the certifying officers to satisfy the representation made in their certifications that they have “indicated in the quarterly or annual report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their most recent evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.”

2. Proposed Amendments to the Disclosure Requirements

In the Proposing Release, we proposed several revisions to the existing disclosure requirements regarding: (1) The certifying officers' evaluation of the company's disclosure controls and procedures; and (2) changes to the company's internal control over financial reporting. We also proposed to require quarterly disclosure regarding the conclusions of the certifying officers about the effectiveness of the company's internal control over financial reporting.

Moreover, we proposed to require evaluations of both types of controls as of the end of the period covered by the quarterly or annual report, rather than “as of a date within 90 days of the filing date” of the quarterly or annual report, as currently required with respect to disclosure controls. With respect to the disclosure about changes to the company's internal control over financial reporting, we proposed to require a company to disclose “any significant changes made during the period covered by the quarterly or annual report” rather than “whether or not there were significant changes in the company's internal control over financial reporting that could significantly affect these controls subsequent to the date of their evaluation.”

The commenters were mixed in their reaction to these proposed changes. A couple of the commenters remarking on the point at which a company must undertake an evaluation of its controls “strongly agreed” with the proposed change to require evaluations as of the end of the period. Several other commenters preferred the existing “90 days within the filing date” evaluation point, noting that it provides more flexibility than the fixed point. Some of these commenters expressed concern that it would be hard to conduct evaluations on the last day of the period. One of the commenters suggested that the proposed requirement that a company disclose changes to its internal control over financial reporting that occurred at any time during a fiscal quarter was inconsistent with the proposed requirement that management evaluate such changes “as of the end of each fiscal quarter.”^[95] An additional commenter asserted that it was critical that we offer companies some guidance as to the types of changes that constitute “significant changes.”^[96] Finally, a few commenters noted that while we had proposed to delete the words “or other factors” from Exchange Act Rules 13a-14(b)(6) and 15d-14(b)(6) regarding disclosure of “significant changes in internal controls or in other factors that could significantly affect internal controls, * * *” we had not likewise proposed to delete those words from the actual certification language.

3. Final Disclosure Requirements

After consideration of the comments, we are adopting the proposals with several modifications. We are adopting as proposed the change of the evaluation date for disclosure controls to “as of the end of the period” covered by the quarterly or annual report. We are not specifying the point at which management must evaluate changes to the company's internal control over financial reporting. Given that the final rules do not require a company to state the conclusions of the certifying officers regarding the effectiveness of the company's internal control over financial reporting as of a particular date on a quarterly basis as proposed, as the company must with respect to disclosure controls and procedures, it is unnecessary to specify a date for the quarterly evaluation of changes in internal control over financial reporting. We believe that this change is consistent with the new accelerated reporting deadlines.^[97]

We are amending the proposal that would have required companies to disclose any significant changes in its internal controls. Under the final rules, a company must disclose any change in its internal control over financial reporting that occurred during the fiscal quarter covered by the quarterly report, or the last fiscal quarter in the case of an annual report, that has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting.^[98] Furthermore, we have deleted the phrase “or in other factors” from Exchange Act Rules 13a-14 and 15d-15 and the form of certification. Although the final rules do not explicitly require the company to disclose the reasons for any change that occurred during a fiscal quarter, or to otherwise elaborate about the change, a company will have to determine, on a facts and circumstances basis, whether the reasons for the change, or other information about the circumstances surrounding the change, constitute material information necessary to make the disclosure about the change not misleading.^[99]

While an evaluation of the effectiveness of disclosure controls and procedures must be undertaken on a quarterly basis, we expect that for purposes of disclosure by domestic companies, the traditional relationship between disclosure in annual reports on Form 10-K and intervening quarterly reports on Form 10-Q will continue. Disclosure in an annual report that continues to be accurate need not be repeated. Rather, disclosure in quarterly reports may make appropriate reference to disclosures in the most recent annual report (and, where appropriate, intervening quarterly reports) and disclose subsequent developments required to be disclosed in the quarterly report.

We note that, as required by the Sarbanes-Oxley Act, the quarterly certification regarding disclosure that the certifying officers must make to the company's auditors and audit committee provides:^[100]

The company's other certifying officer(s) and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the company's auditors and the audit committee of the company's board of directors (or persons performing the equivalent functions):

(a) All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the company's ability to record, process, summarize and report financial information; and

(b) Any fraud, whether or not material, that involves management or other employees who have a significant role in the company's internal control over financial reporting.

We expect that if a certifying officer becomes aware of a significant deficiency, material weakness or fraud requiring disclosure outside of the formal evaluation process or after the management's most recent evaluation of internal control over financial reporting, he or she will disclose it to the company's auditors and audit committee.

4. Conclusions Regarding Effectiveness of Disclosure Controls and Procedures

In disclosures required under current Item 307 of Regulations S-K and S-B, Item 15 of Form 20-F and General Instruction B(6) to Form 40-F, some companies have indicated that disclosure controls and procedures are designed only to provide “reasonable assurance” that the controls and procedures will meet their objectives. In reviewing those disclosures, the Commission staff generally has not objected to that type of disclosure. The staff has, however, requested companies including that type of disclosure to set forth, if true, the conclusions of the principal executive and principal financial officer that the disclosure controls and procedures are, in fact, effective at the “reasonable assurance” level. Other companies have included disclosure that there is “no assurance” that the disclosure controls and procedures will operate effectively under all circumstances. In these instances, the staff has requested companies to clarify that the disclosure controls and procedures are designed to provide reasonable assurance of achieving their objectives and to set forth, if true, the conclusions of the principal executive and principal financial officers that the controls and procedures are, in fact, effective at the “reasonable assurance” level.

The concept of reasonable assurance is built into the definition of internal control over financial reporting that we are adopting. This conforms to the standard contained in the internal accounting control provisions of Section 13(b)(2) of the Exchange Act ^[101] and current auditing literature.^[102] If management decides to include a discussion of reasonable assurance in the internal control report, the discussion must be presented in a manner that neither makes the disclosure in the report confusing nor renders management's assessment concerning the effectiveness of the company's internal control over financial reporting unclear.

G. Attestation to Management's Internal Control Report by the Company's Registered Public Accounting Firm

In the Proposing Release, we proposed to amend Rules 210.1-02 and 210.2-02 of Regulation S-X to make conforming revisions to Regulation S-X to reflect the registered public accounting firm attestation requirements mandated by Section 404(b) of the Sarbanes-Oxley Act. Under the proposals, we set forth a definition for the new term “attestation report on management's evaluation of internal control over financial reporting” and certain requirements for the accountant's attestation report. We are adopting the proposals substantially as proposed. However, the final rules define the expanded term “attestation report on management's evaluation of internal control over financial reporting.” Several commenters suggested that we use this more specific term, noting that auditors currently perform attestation engagements on a broad variety of subjects. Amended Rule 2-02 requires every registered public accounting firm that issues an audit report on the company's financial statements that are included in its annual report required by Section 13(a) or 15(d) of the Exchange Act containing an assessment by management of the effectiveness of the registrant's internal control over financial reporting must attest to, and report on, such assessment.

At the time of the enactment of the Sarbanes-Oxley Act, the applicable standard for attestation by auditors of internal control over financial reporting was set forth in Statements on Standards for Attestation Engagements No. 10 (“SSAE No. 10”). That standard was used by auditors providing attestations on a voluntary basis to companies, as well as by auditors whose financial institution clients are required to obtain attestations under Federal Deposit Insurance Corporation Improvement Act of 1991,^[103] as discussed below. Under the Sarbanes-Oxley Act, the PCAOB has become the body that sets auditing and attestation standards generally for registered public accounting firms to use in the preparation and issuance of audit reports on the financial statements of issuers, and under Section 404(b) of the Sarbanes-Oxley Act, the PCAOB is required to set standards for the registered public accounting firms' attestations to, and reports on, management's assessment regarding its internal control over financial reporting.

On April 16, 2003, the PCAOB designated Statements on Standards for Attestation Engagements as existed on April 16 as the standard for attestations of management's assessment of the effectiveness of internal control over financial reporting pending further PCAOB standard-setting in the area (and subject to our approval of the PCAOB's actions), and on April 25, we approved the PCAOB's action. SSAE No. 10 is thus the standard applicable on a transition basis for attestations required under Section 404 of the Act and the rules we are adopting today, again pending further PCAOB standard-setting (and our approval). We expect that the PCAOB will assess the appropriateness of those standards and modify them as needed, and any future standards adopted by the PCAOB will apply to registered public accounting firms in connection with the preparation and issuance of attestation reports on management's assessment of the effectiveness of internal control over financial reporting.

H. Types of Companies Affected

Section 404 of the Sarbanes-Oxley Act states that the Commission must prescribe rules that require each annual report required by Section 13(a) or 15(d) of the Exchange Act to contain an internal control report. The Act exempts registered investment companies from this requirement.^[104]

1. Foreign Private Issuers

Section 404 of the Sarbanes-Oxley Act makes no distinction between domestic and foreign issuers and, by its terms, clearly applies to foreign private issuers. These amendments, therefore, apply the management report on internal control over financial reporting requirement to foreign private issuers that file reports under Section 13(a) or 15(d) of the Exchange Act. We have, however, adopted a later compliance date for Start Printed Page 36648foreign private issuers than for accelerated filers.

2. Asset-Backed Issuers

In the Proposing Release, we proposed to exclude issuers of asset-backed securities from the proposed rules implementing Section 404 of the Act. We noted that because of the unique nature of asset-backed issuers, such issuers are subject to substantially different reporting requirements. Most significantly, asset-backed issuers are generally not required to file the types of financial statements that other companies must file. Also, such entities typically are passive pools of assets, without a board of directors or persons acting in a similar capacity. We did not receive any comments on the proposed exclusion of asset-backed issuers from the internal control reporting requirements, and we are excluding asset-backed issuers from the new disclosure requirements as proposed.

3. Small Business Issuers

Our proposed rules implementing Section 404 of the Act did not distinguish between large and small issuers. Similarly, Section 404 of the Act directs that the management report on internal control over financial reporting apply to any company filing periodic reports under Section 13(a) or 15(d) of the Exchange Act. Accordingly, these amendments apply to all issuers that file Exchange Act periodic reports, except registered investment companies, regardless of their size. However, we are sensitive that many small business issuers may experience difficulty in evaluating their internal control over financial reporting because these issuers may not have as formal or well-structured a system of internal control over financial reporting as larger companies. Accordingly, we are providing an extended compliance period for small business issuers and other companies that are not accelerated filers.^[105] In addition, our approach of not mandating specific criteria to be used by management to evaluate a company's internal control over financial reporting should provide small issuers some flexibility in meeting these disclosure requirements.

4. Bank and Thrift Holding Companies

In the Proposing Release, we stated that we were coordinating with the Federal Deposit Insurance Corporation (the “FDIC”) and the other federal banking regulators to eliminate, to the extent possible, any unnecessary duplication between our proposed internal control report and the FDIC's internal control report requirements. Under regulations adopted by the FDIC implementing Section 36 of the Federal Deposit Insurance Act,^[106] a federally insured depository institution with total assets of $500 million or more (“institution”), is required, among other things, to prepare an annual management report that contains:

• A statement of management's responsibility for preparing the institution's annual financial statements, for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and for complying with designated laws and regulations relating to safety and soundness;^[107] and

• Management's assessment of the effectiveness of the institution's internal control structure and procedures for financial reporting as of the end of the fiscal year and the institution's compliance with the designated safety and soundness laws and regulations during the fiscal year.^[108]

The FDIC's regulations additionally require the institution's independent accountant to examine, and attest to, management's assertions concerning the effectiveness of the institution's internal control structure and procedures for financial reporting.^[109] The institution's management report and the accountant's attestation report must be filed with the FDIC, the institution's primary federal regulator (if other than the FDIC), and any appropriate state depository institution supervisor and must be available for public inspection.^[110]

Although bank and thrift holding companies are not required under the FDIC's regulations to prepare these internal control reports, many of these holding companies do so under a provision of Part 363 of the FDIC's regulations^[111] that permits an insured depository institution that is the subsidiary of a holding company to satisfy its internal control report requirements with an internal control report of the consolidated holding company's management if:

• Services and functions comparable to those required of the subsidiary by Part 363 are provided at the holding company level;^[112] and

• The subsidiary has, as of the beginning of its fiscal year, (i) total assets of less than $5 billion or (ii) total assets of $5 billion or more and a composite rating of 1 or 2 under the Uniform Financial Institutions Rating System.^[113]

Section 404 of the Sarbanes-Oxley Act does not contain an exemption for insured depository institutions that are both subject to the FDIC's internal control report requirements and required to file Exchange Act reports. In fact, it makes no distinction whatsoever between institutions subject to the FDIC's requirements and other types of Exchange Act filers. Accordingly, regardless of whether an insured depository institution is subject to the FDIC's requirements, insured depository institutions or holding companies that are required to file periodic reports under Section 13(a) or 15(d) of the Exchange Act are subject to the internal control reporting requirements that we are adopting today.

Although our final rules are similar to the FDIC's internal control report requirements, the rules differ in a few significant respects. Most notably, our final rules do not require a statement of compliance with designated laws and regulations relating to safety and soundness. Conversely, the following Start Printed Page 36649provisions in our rules are not included in the FDIC's regulations:

• The requirement that the report include a statement identifying the framework used by management to evaluate the effectiveness of the company's internal control over financial reporting;^[114]

• The requirement that management disclose any material weakness that it has identified in the company's internal control over financial reporting (and related stipulation that management is not permitted to conclude that the company's internal control over financial reporting is effective if there are one or more material weaknesses);
• The requirement that the company state that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management's assessment of the company's internal control over financial reporting; and
• The requirement that the company must provide the registered public accounting firm's attestation report on management's assessment of internal control over financial reporting in the company's annual report filed under the Exchange Act.^[115]

Several commenters generally supported our goal to eliminate or reduce duplicative reporting requirements. Some of these commenters asserted that we should recognize the substantial protections to depositors and investors provided by the federal laws that govern depository institutions and their holding companies. They suggested that our final rules should state that compliance with the FDIC's internal control report requirements satisfies the internal control report requirements that we are adopting under Section 404. A number of these commenters also thought that if we did not exempt insured depository institutions already filing internal control reports under the FDIC's requirements, we should provide an exemption in our rules mirroring the FDIC's exemption that excludes insured depository institutions or their holding companies with less than $500 million in assets from the internal control report requirements.

After consultation with the staffs of the FDIC, the Federal Reserve Board, the Office of Thrift Supervision and the Office of the Comptroller of Currency, we have determined that insured depository institutions that are subject to Part 363 of the FDIC's regulations (as well as holding companies permitted to file an internal control report on behalf of their insured depository institution subsidiaries in satisfaction of these regulations) and also subject to our new rules implementing Section 404 of the Sarbanes-Oxley Act ^[116] should be afforded considerable flexibility in determining how best to satisfy both sets of requirements. Therefore, they can choose either of the following two options:

• They can prepare two separate management reports to satisfy the FDIC's and our new requirements; or
• They can prepare a single management report that satisfies both the FDIC's requirements and our new requirements.

If an insured depository institution or its holding company chooses to prepare a single report to satisfy both sets of requirements, the report of management on the institution's or holding company's internal control over financial reporting (as defined in Exchange Act Rule 13a-15(f) or 15d-15(f)) will have to contain the following: ^[117]

• A statement of management's responsibility for preparing the registrant's annual financial statements, for establishing and maintaining adequate internal control over financial reporting for the registrant, and for the institution's compliance with laws and regulations relating to safety and soundness designated by the FDIC and the appropriate federal banking agencies;
• A statement identifying the framework used by management to evaluate the effectiveness of the registrant's internal control over financial reporting as required by Exchange Act Rule 13a-15 or 15d-15;
• Management's assessment of the effectiveness of the registrant's internal control over financial reporting as of the end of the registrant's most recent fiscal year, including a statement as to whether or not management has concluded that the registrant's internal control over financial reporting is effective, and of the institution's compliance with the designated safety and soundness laws and regulations during the fiscal year. This discussion must include disclosure of any material weakness in the registrant's internal control over financial reporting identified by management; ^[118] and

• A statement that the registered public accounting firm that audited the financial statements included in the registrant's annual report has issued an attestation report on management's assessment of the registrant's internal control over financial reporting.

Additionally, the institution or holding company will have to provide the registered public accounting firm's attestation report on management's assessment in its annual report filed under the Exchange Act.^[119] For purposes of the report of management and the attestation report, financial reporting must encompass both financial statements prepared in accordance with GAAP and those prepared for regulatory reporting purposes.

I. Registered Investment Companies

Section 404 of the Sarbanes-Oxley Act does not apply to registered investment Start Printed Page 36650companies, and we are not extending any of the requirements that would implement section 404 to registered investment companies.^[120] Several commenters objected to the proposed requirement that the Section 302 certification include a statement of the officers' responsibility for internal controls.^[121] These commenters argued that this requirement would contradict Section 405 of the Sarbanes-Oxley Act and represent a “back-door” application of Section 404, from which registered investment companies are exempt.^[122] We disagree. The certification requirements implement Section 302 of the Sarbanes-Oxley Act, from which registered investment companies are not exempt.^[123] We are not subjecting registered investment companies to the requirements implementing Section 404 of the Sarbanes-Oxley Act, including the annual and quarterly evaluation requirements with respect to internal control over financial reporting and the requirements for an annual report by management on internal control over financial reporting and an attestation report on management's assessment.

We are adopting the following technical changes to our rules and forms implementing Section 302 of the Sarbanes-Oxley Act for registered investment companies in order to conform to the changes that we are adopting for operating companies.^[124]

• Paragraph (d) of Investment Company Act Rule 30a-3. The amendments use the same term “internal control over financial reporting” that we are using in the rules for operating companies and include the same definition of “internal control over financial reporting” that we are adopting in Exchange Act Rules 13a-15(f) and 15d-15(f).
• Paragraph (a) of Investment Company Act Rule 30a-3. The amendments require every registered management investment company, other than a small business investment company, to maintain internal control over financial reporting. These amendments parallel those that we are adopting for operating companies in Exchange Act Rules 13a-15(a) and 15d-15(a).
• Introductory text and sub-paragraph (b) of paragraph 4 of the certification in Item 10(a)(2) of Form N-CSR. The amendments require the signing officers to state that they are responsible for establishing and maintaining internal control over financial reporting, and that they have designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under their supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles.
• Paragraph (4)(d) of the certification of Item 10(a)(2), and Item 9(b) of Form N-CSR. The amendments require disclosure of any change in the investment company's internal control over financial reporting that occurred during the most recent fiscal half-year that has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting.
• Paragraph (5) of the certification of Item 10(a)(2) of Form N-CSR. The amendments require the signing officers to state that they have disclosed to the investment company's auditors and the audit committee all significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the investment company's ability to record, process, summarize, and report financial information.

We are not, however, adopting proposed amendments that would have required the evaluation by an investment company's management of the effectiveness of its disclosure controls and procedures to be as of the end of the period covered by each report on Form N-CSR, rather than within 90 days prior to the filing date of the report, as our certification rules currently require.^[125] Commenters noted that this would require investment company complexes that have funds with staggered fiscal year ends to perform evaluations of their disclosure controls and procedures as many as twelve times per year. They argued that requiring such frequent evaluations would be extremely costly, inefficient, and operationally disruptive, and would not provide any benefits to shareholders.^[126] We agree that the costs of requiring investment company complexes to perform evaluations of their disclosure controls and procedures twelve times per year would outweigh the benefits to investors. The certification rules we are adopting will require an investment company complex to perform at most four such evaluations per year.^[127]

Transition Period for Registered Investment Companies

Registered investment companies must comply with the rule and form amendments applicable to them on and after August 14, 2003, except as follows. Registered investment companies must comply with the amendments to Exchange Act Rules 13a-15(a) and 15d-15(a) and Investment Company Act Rule 30a-3(a) that require them to maintain internal control over financial reporting with respect to fiscal years ending on or after June 15, 2004. In addition, registered investment companies must comply with the portion of the introductory language in paragraph 4 of the certification in Item 10(a)(2) of Form N-CSR that refers to the certifying officers' responsibility for establishing Start Printed Page 36651and maintaining internal control over financial reporting, as well as paragraph 4(b) of the certification, beginning with the first annual report filed on Form N-CSR for a fiscal year ending on or after June 15, 2004.

J. Transition Period

We received a number of comments urging us to adopt an extended transition period for compliance with the new disclosure requirements.^[128] We have decided to delay the compliance date of the requirement to provide a management report assessing the effectiveness of internal control over financial reporting and an auditor's attestation to, and report on, that assessment beyond that in the Proposing Release so that companies and their auditors will have time to prepare and satisfy the new requirements. These compliance dates do not apply to registered investment companies, which are not required to provide the management report assessing the effectiveness of internal control over financial reporting and the related auditor's attestation.^[129] A company that is an “accelerated filer,” as defined in Exchange Act Rule 12b-2, as of the end of its first fiscal year ending on or after June 15, 2004, must begin to comply with the management report on internal control over financial reporting disclosure requirements promulgated under Section 404 of the Sarbanes-Oxley Act in its annual report for that fiscal year. We recognize that non-accelerated filers, including smaller companies and foreign private issuers, may have greater difficulty in preparing the management report on internal control over financial reporting. Therefore, these types of companies must begin to comply with the disclosure requirements in annual reports for their first fiscal year ending on or after April 15, 2005. A company must begin to comply with the quarterly evaluation of changes to internal control over financial reporting requirements for its first periodic report due after the first annual report that must include management's report on internal control over financial reporting. We believe that the transition period is appropriate in light of both the substantial time and resources needed to properly implement the rules^[130] and the corresponding benefit to investors that will result. In addition, the transition period will provide additional time for the PCAOB to consider relevant factors in determining and implementing any new attestation standard as it finds appropriate, subject to our approval.

Consistent with this extended compliance period for management's internal control report and the related attestation, and for the subsequent evaluation of changes in internal control over financial reporting, the following provisions of the rules adopted today are subject to the extended compliance period:

• The provisions of Items 308(a) and (b) of Regulations S-K and S-B and the comparable provisions of Forms 20-F and 40-F requiring management's internal control report and the related attestation;
• The amendments to Rules 13a-15(a) and 15d-15(a) under the Exchange Act relating to maintenance of internal control over financial reporting; and
• The provisions of Rules 13a-15(c) and (d) and 15d-15(c) and (d) under the Exchange Act requiring evaluations of internal control over financial reporting and changes thereto.

The extended compliance period does not in any way affect the provisions of our other rules and regulations regarding internal controls that are in effect, including, without limitation, Rule 13b-2 under the Exchange Act.

Other rules relating to evaluation and disclosure adopted today are effective on August 14, 2003. These other rules include amendments to Items 308(c) of Regulations S-K and S-B and the comparable provisions of Forms 20-F and 40-F requiring disclosure regarding certain changes in internal control over financial reporting. These amendments modify existing requirements regarding disclosure of changes in internal control over financial reporting, are related to statements made in the Section 302 certifications of principal executive and financial officers, and provide clarifications that are beneficial and whose implementation need not be delayed. These other rules that are effective on August 14, 2003 also include amendments relating to disclosure controls and procedures.

III. Discussion of Amendments Related to Certifications

A. Proposed Rules

We proposed to amend our rules and forms to require companies to file the certifications required by Section 302 of the Sarbanes-Oxley Act as an exhibit to the periodic reports to which they relate. Specifically, we proposed to amend the exhibit requirements of Forms 20-F and 40-F and Item 601 of Regulations S-B and S-K to add the Section 302 certifications to the list of required exhibits. In addition, we proposed to amend Exchange Act Rules 13a-14 and 15d-14 to require that Section 906 certifications accompany the periodic reports to which they relate, and to amend Forms 20-F and 40-F and Item 601 of Regulations S-B and S-K to add Section 906 certifications to the list of required exhibits. We also proposed to amend Investment Company Act Rule 30a-2 to require that Section 906 certifications accompany the periodic reports on Form N-CSR to which they relate and Item 10 of Form N-CSR to add the Section 906 certifications as a required exhibit.

We received eight comment letters in response to the proposals.^[131] The primary topic addressed by the commenters was whether Section 906 of the Sarbanes-Oxley Act applied to annual reports filed on Form 11-K. Most of the commenters believed that issuers required to file annual reports on Form 11-K should be exempt from the requirement to furnish a Section 906 certification as an exhibit.^[132] Two commenters noted that the language of Section 906 that requires certification of the chief executive officer and chief financial officer (or equivalent thereof) is inconsistent with the actual administration of employee benefit plans because such plans do not have individuals acting as chief executive officer and chief financial officer.^[133] Those commenters noted that employee benefit plans are typically administered through one or more committees that are appointed as the plan's named fiduciaries to administer the plan and oversee investments.^[134] In addition, some commenters believed that we should provide an exemption for Form 11-K because employee benefit plans are already subject to extensive regulation under the Employee Retirement Income Security Act of 1974 (“ERISA”),^[135] which includes a requirement for the plan administrator to certify, under penalties of perjury and other criminal and administrative Start Printed Page 36652penalties, the accuracy of the plan's disclosures under ERISA.^[136]

Commenters also addressed other topics related to Section 906. One commenter requested that the Commission allow Section 906 certifications to remain confidential.^[137] That commenter expressed concern that a plaintiff could use a Section 906 certification to create a basis for liability that did not otherwise exist.^[138] One commenter objected to the proposal to deem Section 906 certifications as “furnished,” rather than as “filed.”^[139] After considering all of the comments, we are adopting the proposals substantially as proposed.

On April 11, 2003, U.S. Senator Joseph Biden introduced a statement into the Congressional Record that discusses Section 906.^[140] The statement asserts that Section 906 “is intended to apply to any financial statement filed by a publicly-traded company, upon which the investing public will rely to gauge the financial health of the company,” which includes financial statements included in current reports on Forms 6-K and 8-K and annual reports on Form 11-K.^[141] The language added to Title 18 by Section 906 refers to “periodic reports containing financial statements,” and our proposals to require companies to furnish Section 906 certifications as exhibits applied to periodic (annual, semi-annual and quarterly) reports but did not address current reports on Forms 6-K and 8-K.^[142] One commenter addressed the statement in the Congressional Record, indicating that the suggested requirements would create substantial practical burdens for companies to provide Section 906 certifications in current reports filed on Forms 6-K or 8-K.^[143] We are also concerned that extending Section 906 certifications to Forms 6-K or 8-K could potentially chill the disclosure of information by companies. As noted above, four commenters argued that Section 906 should not apply to Form 11-K.^[144] In light of these developments, we are considering, in consultation with the Department of Justice, the application of Section 906 to current reports on Forms 6-K and 8-K and annual reports on Form 11-K and the possibility of taking additional action.

B. Final Rules

We are amending the exhibit requirements of Forms 20-F and 40-F and Item 601 of Regulations S-B and S-K to add the Section 302 certifications to the list of required exhibits.^[145] In the final rules, the specific form and content of the required certifications is set forth in the applicable exhibit filing requirement.^[146] To coordinate the rules requiring an evaluation of “disclosure controls and procedures” and “internal control over financial reporting,” we are moving the definition of the term “disclosure controls and procedures” from Exchange Act Rules 13a-14(c) and 15d-14(c) and Investment Company Act Rule 30a-2(c) to new Exchange Act Rules 13a-15(c) and 15d-15(c) and Investment Company Act Rule 30a-3(c), respectively.

We are amending Exchange Act Rules 13a-14 and 15d-14 and Investment Company Act Rule 30a-2 to require the Section 906 certifications to accompany periodic reports containing financial statements as exhibits. We also are amending the exhibit requirements in Forms 20-F, 40-F and Item 601 of Regulations S-B and S-K to add the Section 906 certifications to the list of required exhibits to be included in reports filed with the Commission. In addition, we are amending Item 10 of Form N-CSR to add the Section 906 certifications as a required exhibit. Because the Section 906 certification requirement applies to periodic reports containing financial statements that are filed by an issuer pursuant to Section 13(a) or 15(d) of the Exchange Act, the exhibit requirement will only apply to reports on Form N-CSR filed under these sections and not to reports on Form N-CSR that are filed under the Investment Company Act only.^[147] A failure to furnish the Section 906 certifications would cause the periodic report to which they relate to be incomplete, thereby violating Section 13(a) of the Exchange Act.^[148] In addition, referencing the Section 906 certifications in Exchange Act Rules 13a-14 and 15d-14 and Investment Company Act Rule 30a-2 subjects these certifications to the signature requirements of Rule 302 of Regulation S-T.^[149]

Section 906 requires that the certifications “accompany” the periodic report to which they relate. This is in contrast to Section 302, which requires the certifications to be included “in” the periodic report. In recognition of this difference, we are permitting companies to “furnish,” rather than “file,” the Section 906 certifications with the Commission.^[150] Thus, the certifications would not be subject to liability under Section 18 of the Exchange Act.^[151] Moreover, the certifications would not be subject to automatic incorporation by reference into a company's Securities Act registration statements, which are subject to liability under Section 11 of the Securities Act,^[152] unless the issuer takes steps to include the certifications in a registration statement.

Although Section 906 does not explicitly require the certifications to be made public, we believe that it is appropriate to require certifications that “accompany” a publicly filed periodic report to be provided publicly in this manner. We believe that Congress intended for Section 906 certifications Start Printed Page 36653to be publicly provided. Civil liability already exists under our signature requirements and the Section 302 certifications. In addition, any Section 906 certification submitted to the Commission as correspondence is subject to the Freedom of Information Act.^[153] Finally, the requirement to furnish Section 906 certifications as exhibits serves a number of important functions. First, the exhibit requirement enhances compliance by allowing the Commission, the Department of Justice and the public to monitor the certifications effectively. Second, by subjecting the Section 906 certifications to the signature requirements of Regulation S-T, companies are required to retain a manually signed signature page or other authenticating document for a five-year period. This requirement helps to preserve evidential matter in the event of prosecution.

There are important distinctions to be made between Sections 302 and 906 of the Sarbanes-Oxley Act. Unlike the Section 302 certifications, the Section 906 certifications are required only in periodic reports that contain financial statements. Therefore, amendments to periodic reports that do not contain financial statements would not require a new Section 906 certification, but would require a new Section 302 certification to be filed with the amendment.^[154] In addition, unlike the Section 302 certifications, the Section 906 certifications may take the form of a single statement signed by a company's chief executive and financial officers.^[155]

C. Effect on Interim Guidance Regarding Filing Procedures

We provided interim guidance regarding voluntary filing procedures for Section 906 certifications.^[156] That guidance encouraged issuers to submit their Section 906 certifications as exhibits to the periodic reports to which they relate.^[157] For issuers that are not investment companies, that interim voluntary guidance shall remain in effect until the rules become effective. In the event that the EDGAR system is not updated by the effective date, companies should submit the required certifications as Exhibit 99.^[158] For registered investment companies, the interim guidance shall remain in effect until the rules become effective.^[159]

D. Form of Section 302 Certifications

We proposed several amendments to the form of certifications to be provided pursuant to Section 302 of the Sarbanes-Oxley Act. In particular, we proposed the following:

• The addition of a statement that principal executive and financial officers are responsible for designing internal controls and procedures for financial reporting or having such controls and procedures designed under their supervision;
• The clarification that disclosure controls and procedures may be designed under the supervision of principal executive and financial officers; and
• The revision of the statement as to the effectiveness of disclosure controls and procedures and internal controls and procedures for financial reporting would be as of the end of the period.

We have adopted the proposals referred to above substantially as proposed. In addition, we have made the following changes:

• We have incorporated the term “internal control over financial reporting” into the certification;
• We have amended the provision of the certification relating to changes in internal control over financial reporting, consistent with the final rules discussed above regarding evaluation and disclosure, so that it refers to changes that have materially affected or are reasonably likely to materially affect internal control over financial reporting;
• We have clarified that the statement as effectiveness of disclosure controls and procedures be as of the end of the period, but that the date of the evaluation is not specified; and
• We have made minor changes in the organization of the certification.

E. Transition Period

The final rules regarding filing of certifications under Sections 302 and 906, for companies other than registered investment companies, will be effective on August 14, 2003. The compliance dates applicable to registered investment companies are described in Section II. I., above.

We believe that changes in the form of Section 302 certification described above are beneficial to both registrants and investors because they clarify the provisions of the certification. With one exception, discussed below, the changes are also not related to our new requirements regarding management's internal control report. With that one exception, appropriateness of the modified certification is thus not affected by the extended compliance period we are providing in connection with management's internal control report and the related attestation. Our rules adopted today also therefore provide that the form of Section 302 certification will be modified, with that one exception, in accordance with these rules effective on August 14, 2003.

We are applying the extended compliance period to the portion of the introductory language in paragraph 4 of the Section 302 certification that refers to the certifying officers' responsibility for establishing and maintaining internal control over financial reporting for the company, as well as paragraph 4(b), which must be provided in the first annual report required to contain management's internal control report and thereafter. As noted above, this extended compliance period does not in any way affect the provisions of our other rules and regulations regarding internal controls that are in effect.

IV. Paperwork Reduction Act

A. Background

Certain provisions of our final amendments contain “collection of information” requirements within the meaning of the Paperwork Reduction Act of 1995 (“PRA”).^[160] We published a notice requesting comment on the collection of information requirements in the proposing release for the rule amendments, and we submitted these requirements to the Office of Start Printed Page 36654Management and Budget (“OMB”) for review in accordance with the PRA.^[161] The titles for the collection of information are:

(1) “Form 10-Q” (OMB Control No. 3235-0070);

(2) “Form 10-QSB” (OMB Control No. 3235-0416);

(3) “Form 10-K” (OMB Control No. 3235-0063);

(4) “Form 10-KSB” (OMB Control No. 3235-0420);

(5) “Form 20-F” (OMB Control No. 3235-0288);

(6) “Form 40-F” (OMB Control No. 3235-0381);

(7) “Regulation S-X” (OMB Control No. 3235-0009);

(8) “Regulation S-K” (OMB Control No. 3235-0071);

(9) “Regulation S-B” (OMB Control No. 3235-0417); and

(10) “Form N-CSR” (OMB Control No. 3235-0570).

The forms are periodic reports adopted under the Exchange Act and the Investment Company Act. The regulations set forth the disclosure requirements for periodic reports, registration statements and proxy and information statements filed by companies to ensure that investors are informed. The hours and costs associated with preparing, filing and sending these forms constitute reporting and cost burdens imposed by each collection of information. An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number. Compliance with the requirements is mandatory. Under our rules for the retention of manual signatures,^[162] companies must retain, for a period of five years, an original signature page or other document authenticating, acknowledging or otherwise adopting the certifying officers' signatures that appear in their electronically filed periodic reports. Responses to the information collections are not kept confidential.

B. Summary of the Final Rules

The final rules require the annual report of every company that files periodic reports under Section 13(a) or 15(d) of the Exchange Act, other than reports by registered investment companies, to contain a report of management that includes:

• A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company;
• A statement identifying the framework used by management to evaluate the effectiveness of the company's internal control over financial reporting;
• Management's assessment of the effectiveness of the company's internal control over financial reporting, as of the end of the most recent fiscal year; and
• A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management's evaluation of the company's internal control over financial reporting.

We are adding these requirements pursuant to the legislative mandate in Section 404 of the Sarbanes-Oxley Act. Under our final rules, a company also will be required to evaluate and disclose any change in its internal control over financial reporting that occurred during the fiscal quarter that has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting.

We are also adopting amendments to require companies to file the certifications mandated by Sections 302 and 906 of the Sarbanes-Oxley Act as exhibits to their annual, semi-annual and quarterly reports. These amendments will enhance the ability of investors, the Commission staff, the Department of Justice and other interested parties to easily and efficiently access the certifications through our Electronic Data Gathering, Analysis and Retrieval (“EDGAR”) system and facilitate better monitoring of a company's compliance with the certification requirements.

C. Summary of Comment Letters and Revisions to Proposals

We requested comment on the PRA analysis contained in the proposing releases addressing Section 404 and Sections 302 and 906 of the Sarbanes-Oxley Act.^[163] We received no comments on our PRA estimates for the certification requirements. With respect to our PRA estimates for the rules implementing Section 404 of the Sarbanes-Oxley Act, eight commenters thought that our PRA estimates significantly understated the actual time and costs that companies would have to expend evaluating and reporting on their internal control over financial reporting.^[164] However, few of these commenters provided actual alternative cost estimates, and none provided estimates that could be applied generally to all types and sizes of companies. One commenter believed that, based on its experience, we understated the burden estimate by at least a factor of 100.^[165] In response to these commenters, and based on follow-up conversations with several of the commenters who expressed a view on our burden and cost estimates, we have revised our estimates as discussed more fully in Section IV.D below.

We have made a substantive modification to the proposed rules in response to the cost concerns expressed by commenters. Specifically, the final rules require companies to undertake a quarterly evaluation only of any change occurring during the fiscal quarter that has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting. This change should substantially mitigate some of the costs and burdens associated with the proposed requirements.

We have made additional substantive changes to the proposed rule as well. First, the final rules require management to evaluate the company's internal control over financial reporting using a suitable framework, such as the COSO Framework. Second, the final rules expand the list of information that must be included in the management report and specify that management cannot conclude that a company's internal control over financial reporting is effective if there are one or more material weaknesses in such control. Under the final rules, management must identify the framework used to evaluate the company's internal control over financial reporting and disclose any material weaknesses in the company's internal control over financial reporting discovered through the evaluation. We do not believe that these changes significantly alter the burdens imposed on companies resulting from the required assessment of internal control over financial reporting.

D. Revisions to PRA Reporting and Cost Burden Estimates

As discussed above, in consideration of commenters' remarks, we are revising our PRA burden and cost estimates for the rules pertaining to Section 404 that we originally submitted to the OMB in connection with the proposed rules. Start Printed Page 36655

We derived our new burden hour estimates for the annual report forms by estimating the total amount of time that it will take a company's management to conduct the annual evaluation of its internal control over financial reporting and to prepare the required management report.^[166] Our annual burden estimate is based on several assumptions. First, we assumed that the annual number of responses for each form would be consistent with the number of filings that we received in fiscal year 2002.^[167] Second, we assumed that there is a direct correlation between the extent of the burden and the size of the reporting company, with the burden increasing commensurate with the size of the company. We believe that there will be a marked disparity of burdens and costs resulting from the new internal control requirements between the largest and smallest reporting companies. Our estimates reflect an average burden for all sizes of companies. Third, we assumed that the first-year burden would be greater than that for subsequent years, as a portion of the costs will reflect one-time expenditures associated with complying with the rule, such as compiling documentation, implementing new processes, and training staff. We also adjusted the second and third year estimates to account for the fact that management should become more efficient at conducting its internal control assessment and preparing the disclosure after the first year as the process becomes more routine.^[168] Under these assumptions, we estimate that the average incremental burden for an annual filing will be 383 hours per company and the portion of that burden that is reflected as the cost associated with outside professionals is approximately $34,300 per company. For large corporations, we expect that this burden will be substantially higher. Indeed, we received estimates in the thousands of hours for some large and complex companies. Conversely, we expect small companies to find their burden to be less than this average. We also believe that many companies will experience costs well in excess of this average in the first year of compliance with the final rules. We believe that costs will decrease in subsequent years. This burden will also vary among companies based on the complexity of their organization and the nature of their current internal control procedures. We therefore calculated our estimates by averaging the estimated burdens over a three-year period.

We derived our burden estimates for the quarterly report forms by estimating the total amount of time that it will take a company's management to conduct the quarterly evaluation of material changes to the company's internal control over financial reporting and for the company to prepare the required disclosure about such changes. We believe that these quarterly evaluations will impose little additional burden, as much of the structure to conduct these evaluations will be established in connection with the annual evaluations. We estimate that the quarterly reporting will impose an additional burden of five hours per company in connection with each quarterly report. Accordingly, we did not revise our original burden hour estimates for the quarterly report forms.

We estimate the total annual incremental burden (for annual and quarterly reports) associated with the new internal control evaluation and disclosure requirements for all companies to be approximately 3,792,888 hours of company personnel time and a cost of $481,013,550 for the services of outside professionals.^[169]

Table 1 below presents these burdens and costs for each form affected by the final rules implementing Section 404 of Sarbanes-Oxley. We calculated the burden by multiplying the estimated number of affected responses by the estimated average number of hours that management will spend conducting its assessment of the company's internal control over financial reporting and preparing the related disclosure. For Exchange Act annual reports, we estimate that 75% of the burden of preparation is carried by the company internally and that 25% of the burden of preparation is carried by outside professionals retained by the company at an average cost of $300 per hour.^[170] The portion of the burden carried by outside professionals is reflected as a cost, while the portion of the burden carried by the company internally is reflected in hours. There is no change to the estimated burden of the collections of information entitled “Regulation S-K,” “Regulation S-B” and “Regulation S-X” because the burdens that these regulations impose are reflected in our revised estimates for the forms.

We do not believe that the amendments with respect to the Section 302 certifications result in a need to alter the burden estimates that we previously submitted to OMB because they merely relocate the certifications from the text of quarterly and annual reports filed or submitted under Section 13(a) or 15(d) of the Exchange Act to the “Exhibits” section of the reports. We are, however, revising the burden estimates for quarterly and annual reports and for Form N-CSR based on the amendment with respect to the Section 906 certification.^[171] The PRA estimates for these amendments do not reflect a cost because we believe that the entire burden will be borne by company personnel. With respect to semi-annual reports on Form N-CSR, because the financial statements of registered management investment companies are not as complex as those of operating companies, we estimate that the amendments relating to the Section 906 certifications would result in an increase of one burden hour per portfolio.^[172] We estimate that there are approximately 3,700 registered management investment companies that are required to file reports on Form N-CSR, containing 9,850 portfolios. The following table illustrates the incremental PRA estimates for the new Section 906 certification ^[173] requirements:

V. Cost-Benefit Analysis

The amendments implementing Section 404 of the Sarbanes-Oxley Act are congressionally mandated. We recognize that implementation of the Sarbanes-Oxley Act will likely result in costs and benefits to the economy. We are sensitive to the costs and benefits imposed by our rules, and we have considered costs and benefits of our amendments.

A. Benefits

One of the main goals of the Sarbanes-Oxley Act is to enhance the quality of reporting and increase investor confidence in the financial markets. Recent market events have evidenced a need to provide investors with a clearer understanding of the processes that surround the preparation and presentation of financial information. These amendments are intended to accomplish the Act's goals by improving public company disclosure to investors about the extent of management's responsibility for the company's financial statements and internal control over financial reporting and the means by which management discharges its responsibility. The establishment and maintenance of internal control over financial reporting has always been an important responsibility of management. An effective system of internal control over financial reporting is necessary to produce reliable financial statements and other financial information used by investors. By requiring a report of management stating management's responsibility for the company's financial statements and internal control over financial reporting and management's assessment regarding the effectiveness of such control, investors will be able to better evaluate management's performance of its stewardship responsibilities and the reliability of a company's financial statements and other unaudited financial information.

The required annual evaluation of internal control over financial reporting will encourage companies to devote adequate resources and attention to the maintenance of such control. Additionally, the required evaluation should help to identify potential weaknesses and deficiencies in advance of a system breakdown, thereby facilitating the continuous, orderly and timely flow of information within the company and, ultimately, to investors and the marketplace. Improved disclosure may help companies detect fraudulent financial reporting earlier and perhaps thereby deter financial fraud or minimize its adverse effects. All of these benefits will increase market efficiency by improving investor confidence in the reliability of a company's financial disclosure and system of internal control over financial reporting. These benefits are not readily quantifiable. Commenters overwhelmingly supported the benefits of the amendments.

The amendments related to Section 302 of the Sarbanes-Oxley Act relocate the certifications required by Exchange Act Rules 13a-14 and 15d-14 from the text of quarterly and annual reports filed or submitted under Section 13(a) or 15(d) of the Exchange Act to the “Exhibits” section of these reports. The amendments related to Section 906 of the Sarbanes-Oxley Act require that the certifications required by Section 1350 of Title 18 of the United States Code, added by Section 906 of the Act, accompany the periodic reports to which they relate as exhibits. These changes will enhance the ability of investors and the Commission staff to verify that the certifications have, in fact, been submitted with the Exchange Act reports to which they relate and to review the contents of the certifications to ensure compliance with the Start Printed Page 36657applicable requirements. In addition, the changes will enable the Department of Justice, which has responsibility for enforcing Section 906, to review effectively the form and content of the certifications required by that section.

B. Costs

The final rules related to Section 404 of the Sarbanes-Oxley Act require companies, other than registered investment companies, to include in their annual reports a report of management on the company's internal control over financial reporting. The management report on internal control over financial reporting must include: a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting; a statement identifying the framework used to evaluate the effectiveness of the company's internal control over financial reporting; management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year; and a statement that the registered public accounting firm that audited the company's financial statements included in the annual report has issued an attestation report on management's evaluation of the company's internal control over financial reporting. The final rules will increase costs for all reporting companies. These costs are mitigated somewhat because companies have an existing obligation to maintain an adequate system of internal accounting control under the FCPA. Moreover, one commenter noted that some companies already voluntarily include management reports on their internal controls in their annual reports. The preparation of the management report on internal control over financial reporting will likely involve multiple parties, including senior management, internal auditors, in-house counsel, outside counsel and audit committee members.

Many commenters believed that our proposal to require quarterly evaluations of a company's internal control over financial reporting would significantly increase the costs of preparing periodic reports. Several commenters also were concerned that the proposals would result in increased audit fees. We have limited data on which to base cost estimates of the final rules.

Using our PRA burden estimates, we estimate the aggregate annual costs of implementing Section 404(a) of the Sarbanes-Oxley Act to be around $1.24 billion (or $91,000 per company).^[174] We recognize the magnitude of the cost burdens and we are making several accommodations to address commenters' concerns and to ease compliance, including:

• Requiring quarterly disclosure only of any change that has materially affected, or is reasonably likely to materially affect, a company's internal control over financial reporting; and
• An extended transition period for the new internal control reporting requirements.

We originally proposed to require a company to include an internal control report in its annual report for fiscal years ending on or after September 15, 2003. Under the final rules, a company that is an “accelerated filer” under the definition in Exchange Act Rule 12b-2 must begin to comply with the internal control report requirement in its annual report for its first fiscal year ending on or after June 15, 2004. All other companies must begin to comply with the requirement in their annual reports for their first fiscal year ending on or after April 15, 2005.

A longer transition period will help to alleviate the immediate impact of any costs and burdens imposed on companies. A longer transition period may even help to reduce costs as companies will have additional time to develop best practices, long-term processes and efficiencies in preparing management reports. Also, a longer transition period will expand the period of availability of outside professionals that some companies may wish to retain as they prepare to comply with the new requirements.

The PRA burden estimate, however, excludes several costs attributable to Section 404. The estimate does not include the costs associated with the auditor's attestation report, which many commenters have suggested might be substantial. It also excludes estimates of likely “indirect” costs of the final rules. For instance, the final rules increase the cost of being a public company; therefore the final rules may discourage some companies from seeking capital from the public markets. Moreover, the final rules may also discourage non-U.S. firms from seeking capital in the United States.

The incremental costs of the amendments related to Section 302 of the Sarbanes-Oxley Act are minimal. Since companies must already include the certifications required by Exchange Act Rules 13a-14 and 15d-14 in their quarterly and annual reports, there should be no incremental cost to relocating the certifications from the text of the reports to the “Exhibits” section of these reports. Requiring the Section 906 certifications to be included as an exhibit to the periodic reports to which they relate will lead to some additional costs for companies that currently are submitting the certifications to the Commission in some other manner. While these costs are difficult to quantify, we estimate that the annual paperwork burden of the amendments will be approximately $23.4 million.^[175]

One commenter has expressed concern that companies may assume greater legal risk by making their Section 906 certifications publicly available.^[176] To the extent that companies may assume greater legal risk by including the Section 906 certifications as part of their periodic reports filed pursuant to the Exchange Act where these reports are incorporated by reference into Securities Act registration statements, we address this risk by requiring companies to “furnish,” rather than “file,” the certifications with the Commission for purposes of Section 18 of the Exchange Act or incorporation by reference into other filings. Thus, the amendments should mitigate this potential indirect cost of compliance. We believe that it is appropriate to require the certifications that accompany a periodic report to be publicly available. We believe that Congress intended for Section 906 certifications to be publicly available. Civil liability already exists by virtue of the pre-existing signature requirements and Section 302 certifications. In addition, any Section 906 certification submitted to the Commission as correspondence is subject to the Freedom of Information Act.^[177]

VI. Effect on Efficiency, Competition and Capital Formation

Section 23(a)(2) of the Exchange Act ^[178] requires us to consider the anti-competitive effects of any rules that we adopt under the Exchange Act. In addition, Section 23(a)(2) prohibits us from adopting any rule that would impose a burden on competition not necessary or appropriate in furtherance of the purposes of the Exchange Act. The amendments related to Section 404 of the Sarbanes-Oxley Act represent the implementation of a congressional mandate. The final rules require management reports that improve investors' understanding of management's responsibility for the preparation of reliable financial information and maintaining adequate internal control over financial reporting. We anticipate that these requirements will enhance the proper functioning of the capital markets by increasing the quality and accountability of financial reporting and restoring investor confidence.

Section 2(b) of the Securities Act,^[179] Section 3(f) of the Exchange Act ^[180] and Section 2(c) of the Investment Company Act ^[181] require us, when engaging in rulemaking to consider or determine whether an action is necessary or appropriate in the public interest, and consider whether the action will promote efficiency, competition, and capital formation. The amendments related to Section 404 are designed to enhance the quality and accountability of the financial reporting process and may help increase investor confidence, which implies increased efficiency and competitiveness of the U.S. capital markets. Increased market efficiency and investor confidence also may encourage more efficient capital formation. We requested comments on the effect of these amendments on efficiency, competition and capital formation analyses in the proposing release addressing Section 404. We received no comments in response to these requests.

The amendments related to Section 302 of the Sarbanes-Oxley Act would relocate the certifications required by Exchange Act Rules 13a-14 and 15d-14 from the text of quarterly and annual reports filed or submitted under Section 13(a) or 15(d) of the Exchange Act to the “Exhibits” section of these reports. This relocation will enhance the ability of investors and the Commission staff to verify that the certifications have, in fact, been submitted with the Exchange Act reports to which they relate and to review the contents of the certifications to ensure compliance with the applicable requirements. The amendments related to Section 906 of the Sarbanes-Oxley Act also will streamline compliance with Section 1350 of Title 18 of the United States Code, added by Section 906 of the Act, and will enable investors, the Commission staff and the Department of Justice, which has responsibility for enforcing Section 1350, to verify submission and efficiently review the form and content of the certifications required by that provision.

We do not believe that the amendments related to certifications will impose any burden on competition, nor are we aware of any impact on capital formation that would result from the amendments. Depending on how an issuer's principal executive and principal financial officers presently satisfy the Section 906 certification requirements, issuers may incur some additional costs in submitting these certifications as an exhibit to their periodic reports. While these costs are difficult to quantify, we believe that they would be nominal. We requested comment on whether the amendments would affect competition, efficiency and capital formation. We received no comments in response to this request.

VII. Final Regulatory Flexibility Analysis

This Final Regulatory Flexibility Analysis (“FRFA”) has been prepared in accordance with the Regulatory Flexibility Act.^[182] This FRFA relates to new rules and amendments that require Exchange Act companies, other than registered investment companies, to include in their annual reports a report of management on the company's internal control over financial reporting. The management report on internal control over financial reporting must include: a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting; a statement identifying the framework used to evaluate the effectiveness of the company's internal control over financial reporting; management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year; and a statement that the registered public accounting firm that audited the company's financial statements included in the annual report has issued an attestation report on management's evaluation of the company's internal control over financial reporting. This FRFA also addresses new rules and amendments that require companies to file the certifications mandated by Sections 302 and 906 of the Sarbanes-Oxley Act as exhibits to their periodic reports. An Initial Regulatory Flexibility Analysis (“IRFA”) was prepared in accordance with the Regulatory Flexibility Act in conjunction with each of the releases proposing these rules.^[183] The proposing releases solicited comments on these analyses.

A. Need for the Amendments

We are adopting these disclosure requirements to comply with the mandate of, and to fulfill the purposes underlying the provisions of, the Sarbanes-Oxley Act of 2002. The new evaluation and disclosure requirements regarding a company's internal control over financial reporting are intended to enhance the quality of reporting and increase investor confidence in the fairness and integrity of the securities markets by making it clear that a company's management is responsible for maintaining and annually assessing such controls. The amendments related to Sections 302 and 906 of the Sarbanes-Oxley Act will enhance the ability of investors and the Commission staff to verify that the certifications have, in fact, been submitted with the Exchange Act reports to which they relate and to review the contents of the certifications to ensure compliance with the applicable requirements. The amendments also will streamline compliance with Section 1350 of Title 18 of the United States Code and will enable investors, the Commission staff and the Department of Justice, which has responsibility for enforcing Section 1350, to verify a company's submission of the Section 906 certification and efficiently review the form and content of the certifications.

B. Significant Issues Raised by Public Comment

In the Proposing Releases, we requested comment on any aspect of the IRFA, including the number of small entities that would be affected by the proposals, and both quantitative and qualitative nature of the impact. Several commenters expressed concern that small business issuers, including small entities, would be particularly disadvantaged by our proposal to require quarterly evaluations of internal control over financial reporting. We received no commentary on the impact Start Printed Page 36659on small entities of the new certification requirements.

C. Small Entities Subject to the Amendments

The new disclosure items affect issuers that are small entities. Exchange Act Rule 0-10(a) ^[184] defines an issuer, other than an investment company, to be a “small business” or “small organization” if it had total assets of $5 million or less on the last day of its most recent fiscal year. We estimate that there are approximately 2,500 issuers, other than investment companies, that may be considered small entities. For purposes of the Regulatory Flexibility Act, an investment company is a “small entity” if it, together with other investment companies in the same group of related investment companies, has net assets of $50 million or less as of the end of its most recent fiscal year.^[185] We estimate that there are approximately 190 registered management investment companies that, together with other investment companies in the same group of related investment companies, have net assets of $50 million or less as of the end of the most recent fiscal year.^[186]

The new disclosure items with respect to management's report on internal control over financial reporting and the registered public accounting firm's attestation report apply to any small entity, other than a registered investment company, that is subject to Exchange Act reporting requirements. The new certification requirements apply to any small entity that is subject to Exchange Act reporting requirements.

D. Reporting, Recordkeeping and Other Compliance Requirements

The amendments require a company's management to disclose information regarding the company's internal control over financial reporting, including management's assessment of the effectiveness of the company's internal control over financial reporting. All small entities that are subject to the reporting requirements of Section 13(a) or 15(d) of the Exchange Act, other than registered investment companies, are subject to these evaluation and disclosure requirements. Because reporting companies already file the forms being amended, no additional professional skills beyond those currently possessed by these filers necessarily are required to prepare the new disclosure, although some companies may choose to engage outside professionals to assist them in complying with the new requirements. We expect that these new disclosure items will increase compliance costs incurred by small entities. We have calculated for purposes of the Paperwork Reduction Act that each company would be subject to an added annual reporting burden of approximately 398 hours and the portion of that burden that is reflected as the cost associated with outside professionals is approximately $35,286.^[187] We believe, however, that the annual average burden and costs for small issuers are much lower.^[188] For the new certification requirements, we estimate that a company, including a small entity, will be subject to an additional reporting burden of eight hours per year.^[189] These burden estimates reflect only the burden and cost of the required collection of information.

E. Agency Action to Minimize Effect on Small Entities

The Regulatory Flexibility Act directs us to consider alternatives that would accomplish our stated objectives, while minimizing any significant adverse impact on small entities. In connection with the amendments, we considered the following alternatives:

• Establishing different compliance or reporting requirements or timetables that take into account the resources available to small entities;
• Clarifying, consolidating or simplifying compliance and reporting requirements under the rules for small entities;
• Using performance rather than design standards; and
• Exempting small entities from all or part of the requirements.

Several of these alternatives were considered but rejected, while other alternatives were taken into account in the final rules. We believe the final rules fulfill the intent of the Sarbanes-Oxley Act of enhancing the quality of reporting and increasing investor confidence in the fairness and integrity of the securities markets.

Sections 302, 404 and 906 of the Sarbanes-Oxley Act make no distinction based on a company's size. We think that improvements in the financial reporting process for all companies are important for promoting investor confidence in our markets. For example, a 1999 report commissioned by the organizations that sponsored the Treadway Commission found that the incidence of financial fraud was greater in small companies.^[190] However, we are sensitive to the costs and burdens that small entities will face. The final rules require only a quarterly evaluation of material changes to a company's internal control over financial reporting, unlike the proposed rules that would have required management to evaluate the effectiveness of a company's internal control over financial reporting on a quarterly basis. In response to comments, including comments submitted by the Small Business Administration, we have decided not to adopt this proposal.

We believe that a blanket exemption for small entities from coverage of the requirements is not appropriate and would be inconsistent with the policies underlying the Sarbanes-Oxley Act. However, we have provided an extended transition period for companies that do not meet the definition in Exchange Act Rule 12b-2 ^[191] of an “accelerated filer” for the rules implementing Section 404 of the Sarbanes-Oxley Act. Under the adopted rules, non-accelerated filers, including small business issuers, need not prepare the management report on internal control over financial reporting until they file their annual reports for fiscal years ending on or after April 15, 2005. This deferral provides non-accelerated filers more time to develop structured and formal systems of internal control over financial reporting.

We believe that the new disclosure and certification requirements are clear and straightforward. The amendments require only brief disclosure. An effective system of internal control over financial reporting has always been necessary to produce reliable financial statements and other financial information. Our amendments do not specify any particular controls that a company's internal control over financial reporting should include. Each company is afforded the flexibility to design its internal control over financial reporting according to its own set of circumstances. This flexibility should Start Printed Page 36660enable companies to keep costs of compliance as low as possible. Therefore, it does not seem necessary to develop separate requirements for small entities.

The final rules impose both design and performance standards regarding disclosure of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company and management's assessment of the effectiveness of such controls. The rules do, however, afford a company the flexibility to design its internal control over financial reporting to fit its particular circumstances. We believe that it would be inconsistent with the purposes of the Sarbanes-Oxley Act to specify different requirements for small entities.

VIII. Statutory Authority and Text of Rule Amendments

The amendments described in this release are being adopted under the authority set forth in Sections 5, 6, 7, 10, 17 and 19 of the Securities Act, as amended, Sections 12, 13, 15, 23 and 36 of the Exchange Act, Sections 8, 30, 31 and 38 of the Investment Company Act, as amended and Sections 3(a), 302, 404, 405 and 906 of the Sarbanes-Oxley Act.

List of Subjects

17 CFR Part 210

• Accountants
• Accounting
• Reporting and recordkeeping requirements
• Securities

17 CFR Part 228

• Reporting and recordkeeping requirements
• Securities
• Small businesses

17 CFR Parts 229, 240 and 249

• Reporting and recordkeeping requirements
• Securities

17 CFR Parts 270 and 274

• Investment companies
• Reporting and recordkeeping requirements
• Securities

Text of Amendments

For the reasons set out in the preamble, the Commission amends title 17, chapter II, of the Code of Federal Regulations as follows:

PART 210—FORM AND CONTENT OF AND REQUIREMENTS FOR FINANCIAL STATEMENTS, SECURITIES ACT OF 1933, SECURITIES EXCHANGE ACT OF 1934, PUBLIC UTILITY HOLDING COMPANY ACT OF 1935, INVESTMENT COMPANY ACT OF 1940, INVESTMENT ADVISERS ACT OF 1940, AND ENERGY POLICY AND CONSERVATION ACT OF 1975

1. The authority citation for Part 210 is revised to read as follows:

Authority: 15 U.S.C. 77f, 77g, 77h, 77j, 77s, 77z-2, 77z-3, 77aa(25), 77aa(26), 78c, 78j-1, 78l, 78m, 78n, 78o(d), 78q, 78u-5, 78w(a), 78ll, 78mm, 79e(b), 79j(a), 79n, 79t(a), 80a-8, 80a-20, 80a-29, 80a-30, 80a-31, 80a-37(a), 80b-3, 80b-11, 7202 and 7262, unless otherwise noted.

2. Section 210.1-02 is amended by:

a. Removing the authority citation following § 210.1-02;

b. Redesignating paragraph (a) as paragraph (a)(1); and

c. Adding paragraph (a)(2).

The revisions read as follows:

3. Amend § 210.2-02 by:

a. Revising the section heading;

b. Revising the headings of paragraphs (a), (b), (c) and (d); and

c. Adding paragraph (f).

The addition and revisions read as follows.

PART 228—INTEGRATED DISCLOSURE SYSTEM FOR SMALL BUSINESS ISSUERS

4. The general authority citation for Part 228 is revised to read as follows:

Authority: 15 U.S.C. 77e, 77f, 77g, 77h, 77j, 77k, 77s, 77z-2, 77z-3, 77aa(25), 77aa(26), 77ddd, 77eee, 77ggg, 77hhh, 77jjj, 77nnn, 77sss, 78 l, 78m, 78n, 78o, 78u-5, 78w, 78 ll, 78mm, 80a-8, 80a-29, 80a-30, 80a-37, 80b-11, 7202, 7241, and 7262; and 18 U.S.C. 1350, unless otherwise noted.

5. Revise § 228.307 to read as follows:

6. Add § 228.308 to read as follows:

7. Amend § 228.401 by removing the phrase “internal controls and procedures for financial reporting” in paragraph (e)(2)(iv) of Item 401 and adding, in its place, the phrase “internal control over financial reporting”.

8. Amend § 228.601 by:

a. Removing the last sentence of paragraph (a)(1);

b. Revising the Exhibit Table;

c. Revising paragraph (b)(7) to read “No exhibit required.”;

d. Revising the heading in paragraph (b)(11) to read “Statement re: computation of per share earnings”; and

e. Revising paragraphs (b)(27) through (b)(98).

The revisions read as follows.

PART 229—STANDARD INSTRUCTIONS FOR FILING FORMS UNDER SECURITIES ACT OF 1933, SECURITIES EXCHANGE ACT OF 1934 AND ENERGY POLICY AND CONSERVATION ACT OF 1975—REGULATION S-K

9. The general authority citation for Part 229 is revised to read as follows:

Authority: 15 U.S.C. 77e, 77f, 77g, 77h, 77j, 77k, 77s, 77z-2, 77z-3, 77aa(25), 77aa(26), 77ddd, 77eee, 77ggg, 77hhh, 77iii, 77jjj, 77nnn, 77sss, 78c, 78i, 78j, 78l, 78m, 78n, 78o, 78u-5, 78w, 78ll, 78mm, 79e, 79j, 79n, 79t, 80a-8, 80a-9, 80a-20, 80a-29, 80a-30, 80a-31(c), 80a-37, 80a-38(a), 80a-39, 80b-11, 7202, 7241, and 7262; and 18 U.S.C. 1350, unless otherwise noted.

10. By revising § 229.307 to read as follows:

11. By adding § 229.308 to read as follows:

12. By amending § 229.401 by removing the phrase “internal controls and procedures for financial reporting” in paragraph (h)(2)(iv) of Item 401 and adding, in its place, the phrase “internal control over financial reporting”.

13. By amending § 229.601 by:

a. Removing the second and third sentences of paragraph (a)(1);

b. Revising the Exhibit Table which follows the Instructions to the Exhibit Table; and

c. Revising paragraphs (b)(27) through (b)(98).

The revisions read as follows:

PART 240—GENERAL RULES AND REGULATIONS, SECURITIES EXCHANGE ACT OF 1934

14. The general authority citation for Part 240 is revised to read as follows:

Authority: 15 U.S.C. 77c, 77d, 77g, 77j, 77s, 77z-2, 77z-3, 77eee, 77ggg, 77nnn, 77sss, 77ttt, 78c, 78d, 78e, 78f, 78g, 78i, 78j, 78j-1, 78k, 78k-1, 78l, 78m, 78n, 78o, 78p, 78q, 78s, 78u-5, 78w, 78x, 78ll, 78mm, 79q, 79t, 80a-20, 80a-23, 80a-29, 80a-37, 80b-3, 80b-4, 80b-11, 7202, 7241, 7262, and 7263; and 18 U.S.C. 1350, unless otherwise noted.

15. By revising § 240.12b-15 to read as follows:

16. By amending § 240.13a-14 by:

a. Revising paragraphs (a) and (b);

b. Removing paragraph (c);

c. Redesignating paragraphs (d), (e) and (f) as paragraphs (c), (d) and (e);

d. Revising newly redesignated paragraph (c), the introductory text of newly redesignated paragraph (d) and newly redesignated paragraph (e); and

e. Adding and reserving new paragraph (f).

The revisions read as follows:

17. Section 240.13a-15 is revised to read as follows:

18. Amending § 240.15d-14 by:

a. Revising paragraphs (a) and (b);

b. Removing paragraph (c);

c. Redesignating paragraphs (d), (e) and (f) as paragraphs (c), (d) and (e);

d. Revising newly redesignated paragraph (c), the introductory text of newly redesignated paragraph (d) and newly redesignated paragraph (e); and

e. Adding and reserving new paragraph (f).

The revisions read as follows:

19. Section 240.15d-15 is revised to read as follows:

PART 249—FORMS, SECURITIES EXCHANGE ACT OF 1934

20. The general authority citation for Part 249 and the subauthority citation for “Section 249.331” are revised to read as follows:

Authority: 15 U.S.C. 78a et seq., 7202, 7233, 7241, 7262, 7264, and 7265; and 18 U.S.C. 1350, unless otherwise noted.

Section 249.331 is also issued under 15 U.S.C. 78j-1, 7202, 7233, 7241, 7264, 7265; and 18 U.S.C. 1350.

21. By amending Form 10-Q (referenced in § 249.308a) by:

a. Removing the last sentence of General Instruction G;

b. Revising Item 4 to “Part I—Financial Information;” and

c. Removing the “Certifications” section after the “Signatures” section.

The revision reads as follows.

Note:

The text of Form 10-Q does not, and this amendment will not, appear in the Code of Federal Regulations.

Form 10-Q

Part I—Financial Information

Item 4. Controls and Procedures.

Furnish the information required by Items 307 of Regulation S-K (17 CFR 229.307) and 308(c) of Regulation S-K (17 CFR 229.308(c)).

22. By amending Form 10-QSB (referenced in § 249.308b) by:

a. Removing the last sentence of paragraph 2 of General Instruction F;

b. Revising Item 3 to “Part I—Financial Information;” and

c. Removing the “Certifications” section after the “Signatures” section. Start Printed Page 36668

The revision reads as follows.

Note:

The text of Form 10-QSB does not, and this amendment will not, appear in the Code of Federal Regulations.

Form 10-QSB

Part I—Financial Information

Item 3. Controls and Procedures.

Furnish the information required by Items 307 of Regulation S-B (17 CFR 228.307) and 308(c) of Regulation S-B (17 CFR 228.308(c)).

23. By amending Form 10-K (referenced in § 249.310) by:

a. Removing the phrase “(who also must provide the certification required by Rule 13a-14 ( 17 CFR 240.13a-14) or Rule 15d-14 (17 CFR 240.15d-14) exactly as specified in this form)” each time it appears in the first sentence of paragraph (2)(a) of General Instruction D.;

b. Removing the phrase “(Items 1 through 9 or any portion thereof)” and adding, in its place, the phrase “(Items 1 through 9A or any portion thereof)” in the first sentence of paragraph (2) of General Instruction G.;

c. Removing the phrase “(Items 10, 11, 12 and 13)” and adding, in its place, the phrase “(Items 10, 11, 12, 13 and 14)” in the first sentence of paragraph (3) of General Instruction G.;

d. Removing the phrase “(Items 1 through 9)” in the third sentence of paragraph (4) of General Instruction G and adding, in its place, the phrase “(Items 1 through 9A)”;

e. Removing the phrase “(Items 10 through 13)” in the third sentence of paragraph (4) of General Instruction G and adding, in its place, the phrase “(Items 10 through 14)”;

f. Redesignating Item 14 of Part III as Item 9A of Part II and revising newly redesignated Item 9A;

g. Redesignating Item 15 in Part III as Item 14;

h. “Instruction to Item 15” is corrected to read “Instruction to Item 14”;

i. Redesignating Item 16 in Part IV as Item 15;

j. Removing the “Certifications” section after the “Signatures” section and before the reference to “Supplemental Information to be Furnished With Reports Filed Pursuant to Section 15(d) of the Act by Issuers Which Have Not Registered Securities Pursuant to Section 12 of the Act.”

The revision reads as follows.

Note:

The text of Form 10-K does not, and this amendment will not, appear in the Code of Federal Regulations.

Form 10-K

Part II

Item 9A. Controls and procedures.

Furnish the information required by Items 307 and 308 of Regulation S-K (17 CFR 229.307 and 229.308).

24. By amending Form 10-KSB (referenced in § 249.310b) by:

a. Removing the phrase “(who also must provide the certification required by Rule 13a-14 ( 17 CFR 240.13a-14) or Rule 15d-14 (17 CFR 240.15d-14) exactly as specified in this form)” each time it appears in the first sentence of paragraph 2 of General Instruction C.;

b. Redesignating Item 14 of Part III as Item 8A of Part II and revising newly redesignated Item 8A;

c. Redesignating Item 15 of Part III as Item 14;

d. “Instruction to Item 15” is corrected to read “Instruction to Item 14”;

e. Revising Item 2 of Part III of “INFORMATION REQUIRED IN ANNUAL REPORT OF TRANSITIONAL SMALL BUSINESS ISSER”; and

f. Removing the “Certifications” section after the “Signatures” section and before the reference to “Supplemental Information to be Furnished With Reports Filed Pursuant to Section 15(d) of the Exchange Act By Non-reporting Issuers.”

Note:

The text of Form 10-KSB does not, and this amendment will not, appear in the Code of Federal Regulations.

Form 10-KSB

PART II

Item 8A. Controls and Procedures

Furnish the information required by Items 307 of Regulation S-B (17 CFR 228.307) and 308 of Regulation S-B (17 CFR 228.308).

Information Required in Annual Report of Transitional Small Business isser

PART III

Item 2. Description of Exhibits.

As appropriate, the issuer should file those documents required to be filed as Exhibit Number 2, 3, 5, 6, and 7 in Part III of Form 1-A. The registrant also shall file:

(12) Additional exhibits—Any additional exhibits which the issuer may wish to file, which shall be so marked as to indicate clearly the subject matters to which they refer.

(13) Form F-X—Canadian issuers shall file a written irrevocable consent and power of attorney on Form F-X.

(31) The exhibit described in paragraph (b)(31) of Item 601 of Regulation S-B.

(32) The exhibit described in paragraph (b)(32) of Item 601 of Regulation S-B.

25. By amending Form 20-F (referenced in § 249.220f) by:

a. Revising paragraph (e) to General Instruction B;

b. Revising Item 15 of Part II;

c. Removing the phrase “internal controls and procedures for financial reporting” in paragraph (b)(4) of Item 16A of Part II and adding, in its place, the phrase “internal control over financial reporting”;

d. Removing the “Certifications” section after the “Signatures” section and before the section referencing “Instructions as to Exhibits”; and

e. In the “Instruction as to Exhibits” section, redesignate paragraph 12 as paragraph 14 and add new paragraph 12 and paragraph 13.

The revisions and addition read as follows.

Note:

The text of Form 20-F does not, and this amendment will not, appear in the Code of Federal Regulations.

Form 20-F

General Instructions

B. General Rules and Regulations That Apply to this Form.

(e) Where the Form is being used as an annual report filed under Section 13(a) or 15(d) of the Exchange Act, provide the certifications required by Rule 13a-14 (17 CFR 240.13a-14) or Rule 15d-14 (17 CFR 240.15d-14).

Part II

Item 15. Controls and Procedures.

(a) Disclosure Controls and Procedures. Where the Form is being used as an annual report filed under Section 13(a) or 15(d) of the Exchange Act, disclose the conclusions of the issuer's principal executive and principal financial officers, or persons performing similar functions, regarding the effectiveness of the issuer's disclosure controls and procedures (as Start Printed Page 36669defined in 17 CFR 240.13a-15(e) or 240.15d-15(e)) as of the end of the period covered by the report, based on the evaluation of these controls and procedures required by paragraph (b) of 17 CFR 240.13a-15 or 240.15d-15.

(b) Management's annual report on internal control over financial reporting. Where the Form is being used as an annual report filed under Section 13(a) or 15(d) of the Exchange Act, provide a report of management on the issuer's internal control over financial reporting (as defined in 17 CFR 240.13a-15(f) or 240.15d-15(f)) that contains:

(1) A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the issuer;

(2) A statement identifying the framework used by management to evaluate the effectiveness of the issuer's internal control over financial reporting as required by paragraph (c) of 17 CFR 240.13a-15 or 240.15d-15;

(3) Management's assessment of the effectiveness of the issuer's internal control over financial reporting as of the end of the issuer's most recent fiscal year, including a statement as to whether or not internal control over financial reporting is effective. This discussion must include disclosure of any material weakness in the issuer's internal control over financial reporting identified by management. Management is not permitted to conclude that the issuer's internal control over financial reporting is effective if there are one or more material weaknesses in the issuer's internal control over financial reporting; and

(4) A statement that the registered public accounting firm that audited the financial statements included in the annual report containing the disclosure required by this Item has issued an attestation report on management's assessment of the issuer's internal control over financial reporting.

(c) Attestation report of the registered public accounting firm. Where the Form is being used as an annual report filed under Section 13(a) or 15(d) of the Exchange Act, provide the registered public accounting firm's attestation report on management's assessment of the issuer's internal control over financial reporting in the issuer's annual report containing the disclosure required by this Item.

(d) Changes in internal control over financial reporting. Disclose any change in the issuer's internal control over financial reporting identified in connection with the evaluation required by paragraph (d) of 17 CFR 240.13a-15 or 240.15d-15 that occurred during the period covered by the annual report that has materially affected, or is reasonably likely to materially affect, the issuer's internal control over financial reporting.

Instructions to Item 15.

1. The issuer must maintain evidential matter, including documentation, to provide reasonable support for management's assessment of the effectiveness of the issuer's internal control over financial reporting.

2. An issuer that is an Asset-Backed Issuer (as defined in 17 CFR 240.13a-14(g) and 17 CFR 240.15d-14(g)) is not required to disclose the information required by this Item.

Instructions as to Exhibits

12. The certifications required by Rule 13a-14(a) (17 CFR 240.13a-14(a)) or Rule 15d-14(a) (17 CFR 240.15d-14(a)) exactly as set forth below:

Certifications*

I, [identify the certifying individual], certify that:

1. I have reviewed this annual report on Form 20-F of [identify company];

2. Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this report;

3. Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respects the financial condition, results of operations and cash flows of the company as of, and for, the periods presented in this report;

4. The company's other certifying officer(s) and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-15(e) and 15d-15(e)) and internal control over financial reporting (as defined in Exchange Act Rules 13a-15(f) and 15d-15(f)) for the company and have:

(a) Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to ensure that material information relating to the company, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this report is being prepared;

(b) Designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles;

(c) Evaluated the effectiveness of the company's disclosure controls and procedures and presented in this report our conclusions about the effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and

(d) Disclosed in this report any change in the company's internal control over financial reporting that occurred during the period covered by the annual report that has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting; and

5. The company's other certifying officer(s) and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the company's auditors and the audit committee of the company's board of directors (or persons performing the equivalent functions):

(a) All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the company's ability to record, process, summarize and report financial information; and

(b) Any fraud, whether or not material, that involves management or other employees who have a significant role in the company's internal control over financial reporting.

Date:

[Signature]

[Title]

*Provide a separate certification for each principal executive officer and principal financial officer of the company. See Rules 13a-14(a) and 15d-14(a).

13. (a) The certifications required by Rule 13a-14(b) (17 CFR 240.13a-14(b)) or Rule 15d-14(b) (17 CFR 240.15d-14(b)) and Section 1350 of Chapter 63 of Title 18 of the United States Code (18 U.S.C. 1350).

(b) A certification furnished pursuant to Rule 13a-14(b) (17 CFR 240.13a-14(b)) or Rule 15d-14(b) (17 CFR 240.15d-14(b)) and Section 1350 of Chapter 63 of Title 18 of the United States Code (18 U.S.C. 1350) will not be deemed “filed” for purposes of Section 18 of the Exchange Act [15 U.S.C. 78r], or otherwise subject to the liability of Start Printed Page 36670that section. Such certification will not be deemed to be incorporated by reference into any filing under the Securities Act or the Exchange Act, except to the extent that the company specifically incorporates it by reference.

26. By amending Form 40-F (referenced in § 249.240f) by:

a. Revising paragraph (6) to General Instruction B; and

b. Removing the phrase “internal controls and procedures for financial reporting” and adding, in its place, the phrase “internal control over financial reporting” in paragraph (8)(b)(4) of General Instruction B; and

c. Removing the “Certifications” section after the “Signatures” section.

The revision reads as follows.

Note:

The text of Form 40-F does not, and this amendment will not, appear in the Code of Federal Regulations.

FORM 40-F

General Instructions

B. Information To Be Filed on this Form

(6) Where the Form is being used as an annual report filed under Section 13(a) or 15(d) of the Exchange Act:

(a) (1) Provide the certifications required by Rule 13a-14(a) (17 CFR 240.13a-14(a)) or Rule 15d-14(a) (17 CFR 240.15d-14(a)) as an exhibit to this report exactly as set forth below.

Certifications*

I, [identify the certifying individual], certify that:

1. I have reviewed this annual report on Form 40-F of [identify issuer];

2. Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this report;

3. Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respects the financial condition, results of operations and cash flows of the issuer as of, and for, the periods presented in this report;

4. The issuer's other certifying officer(s) and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-15(e) and 15d-15(e)) and internal control over financial reporting (as defined in Exchange Act Rules 13a-15(f) and 15d-15(f)) for the issuer and have:

(a) Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to ensure that material information relating to the issuer, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this report is being prepared;

(b) Designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles;

(c) Evaluated the effectiveness of the issuer's disclosure controls and procedures and presented in this report our conclusions about the effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and

(d) Disclosed in this report any change in the issuer's internal control over financial reporting that occurred during the period covered by the annual report that has materially affected, or is reasonably likely to materially affect, the issuer's internal control over financial reporting; and

5. The issuer's other certifying officer(s) and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the issuer's auditors and the audit committee of the issuer's board of directors (or persons performing the equivalent functions):

(a) All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the issuer's ability to record, process, summarize and report financial information; and

(b) Any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer's internal control over financial reporting.

Date:

[Signature]

[Title]

*Provide a separate certification for each principal executive officer and principal financial officer of the issuer. See Rules 13a-14(a) and 15d-14(a).

(2) (i) Provide the certifications required by Rule 13a-14(b) (17 CFR 240.13a-14(b)) or Rule 15d-14(b) (17 CFR 240.15d-14(b)) and Section 1350 of Chapter 63 of Title 18 of the United States Code (18 U.S.C. 1350) as an exhibit to this report.

(ii) A certification furnished pursuant to Rule 13a-14(b) (17 CFR 240.13a-14(b)) or Rule 15d-14(b) (17 CFR 240.15d-14(b)) and Section 1350 of Chapter 63 of Title 18 of the United States Code (18 U.S.C. 1350) will not be deemed “filed” for purposes of Section 18 of the Exchange Act [15 U.S.C. 78r], or otherwise subject to the liability of that section. Such certification will not be deemed to be incorporated by reference into any filing under the Securities Act or the Exchange Act, except to the extent that the issuer specifically incorporates it by reference.

(b) Disclosure Controls and Procedures. Where the Form is being used as an annual report filed under Section 13(a) or 15(d) of the Exchange Act, disclose the conclusions of the issuer's principal executive and principal financial officers, or persons performing similar functions, regarding the effectiveness of the issuer's disclosure controls and procedures (as defined in 17 CFR 240.13a-15(e) or 240.15d-15(e)) as of the end of the period covered by the report, based on the evaluation of these controls and procedures required by paragraph (b) of 17 CFR 240.13a-15 or 240.15d-15.

(c) Management's annual report on internal control over financial reporting. Where the Form is being used as an annual report filed under Section 13(a) or 15(d) of the Exchange Act, provide a report of management on the issuer's internal control over financial reporting (as defined in 17 CFR 240.13a-15(f) or 240.15d-15(f)) that contains:

(1) A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the issuer;

(2) A statement identifying the framework used by management to evaluate the effectiveness of the issuer's internal control over financial reporting as required by paragraph (c) of 17 CFR 240.13a-15 or 240.15d-15;

(3) Management's assessment of the effectiveness of the issuer's internal control over financial reporting as of the end of the issuer's most recent fiscal year, including a statement as to whether or not internal control over financial reporting is effective. This discussion must include disclosure of any material weakness in the issuer's internal control over financial reporting identified by management. Management is not permitted to conclude that the Start Printed Page 36671issuer's internal control over financial reporting is effective if there are one or more material weaknesses in the issuer's internal control over financial reporting; and

(4) A statement that the registered public accounting firm that audited the financial statements included in the annual report containing the disclosure required by this Item has issued an attestation report on management's assessment of the issuer's internal control over financial reporting.

(d) Attestation report of the registered public accounting firm. Where the Form is being used as an annual report filed under Section 13(a) or 15(d) of the Exchange Act, provide the registered public accounting firm's attestation report on management's assessment of internal control over financial reporting in the annual report containing the disclosure required by this Item.

(e) Changes in internal control over financial reporting. Disclose any change in the issuer's internal control over financial reporting identified in connection with the evaluation required by paragraph (d) of 17 CFR 240.13a-15 or 240.15d-15 that occurred during the period covered by the annual report that has materially affected, or is reasonably likely to materially affect, the issuer's internal control over financial reporting.

Instructions to paragraphs (b), (c), (d) and (e) of General Instruction B. 6.

1. The issuer must maintain evidential matter, including documentation, to provide reasonable support for management's assessment of the effectiveness of the issuer's internal control over financial reporting.

2. An issuer that is an Asset-Backed Issuer (as defined in 17 CFR 240.13a-14(g) and 240.15d-14(g)) is not required to disclose the information required by this Item.

PART 270—RULES AND REGULATIONS, INVESTMENT COMPANY ACT OF 1940

27. The authority citation for Part 270 is amended by revising the subauthority citation for “Section 270.30a-2” to read as follows:

Authority: 15 U.S.C. 80a-1 et seq., 80a-34(d), 80a-37, and 80a-39, unless otherwise noted.

Section 270.30a-2 is also issued under 15 U.S.C. 78m, 78o(d), 80a-8, 80a-29, 7202, and 7241; and 18 U.S.C. 1350, unless otherwise noted.

28. By revising the last sentence of § 270.8b-15 to read as follows:

29. Section 270.30a-2 is revised to read as follows:

30. By revising § 270.30a-3 to read as follows:

PART 274—FORMS PRESCRIBED UNDER THE INVESTMENT COMPANY ACT OF 1940

31. The authority citation for Part 274 is amended by revising the authority citation for “Section 274.128” to read as follows:

Authority: 15 U.S.C. 77f, 77g, 77h, 77j, 77s, 78c(b), 78 l, 78m, 78n, 78o(d), 80a-8, 80a-24, 80a-26, and 80a-29, unless otherwise noted.

Section 274.128 is also issued under 15 U.S.C. 78j-1, 7202, 7233, 7241, 7264, and 7265; and 18 U.S.C. 1350.

32. Form N-SAR (referenced in §§ 249.330 and 274.101) is amended by revising the reference “internal controls and procedures for financial reporting” in paragraph (b)(6)(iv) of the Instruction to Sub-Item 102P3 to read “internal control over financial reporting”.

33. Form N-CSR (referenced in §§ 249.331 and 274.128) is amended by:

a. In General Instruction D, revising the reference “Items 4, 5, and 10(a)” to read “Items 4, 5, and 10(a)(1)”;

b. Revising paragraph 2.(a) of General Instruction F;

c. In paragraph (c) of Item 2, revising the reference “Item 10(a)” to read “Item 10(a)(1)”;

d. In paragraph (f)(1) of Item 2, revising the reference “Item 10(a)” to read “Item 10(a)(1)”;

e. In paragraph (b)(4) of Item 3, revising the reference “internal controls and procedures for financial reporting” to read “internal control over financial reporting”;

f. Revising Item 9; and

g. In Item 10:

(i) The introductory text and paragraphs (a) and (b) are redesignated as paragraphs (a), (a)(1) and (a)(2), respectively;

(ii) Revising newly redesignated paragraph (a) and newly redesignated paragraph (a)(2); and

(iii) Adding new paragraph (b) and an Instruction to Item 10.

The revisions and additions read as follows.

Note:

The text of Form N-CSR does not, and these amendments will not, appear in the Code of Federal Regulations.

FORM N-CSR

General Instructions

F. Signature and Filing of Report.

2. (a) The report must be signed by the registrant, and on behalf of the registrant by its principal executive and principal financial officers.

Item 9. Controls and Procedures.

(a) Disclose the conclusions of the registrant's principal executive and principal financial officers, or persons performing similar functions, regarding the effectiveness of the registrant's disclosure controls and procedures (as defined in Rule 30a-3(c) under the Act (17 CFR 270.30a-3(c))) as of a date within 90 days of the filing date of the report that includes the disclosure required by this paragraph, based on the evaluation of these controls and procedures required by Rule 30a-3(b) under the Act (17 CFR 270.30a-3(b)) and Rules 13a-15(b) or 15d-15(b) under the Exchange Act (17 CFR 240.13a-15(b) or 240.15d-15(b)).

(b) Disclose any change in the registrant's internal control over financial reporting (as defined in Rule 30a-3(d) under the Act (17 CFR 270.30a-3(d)) that occurred during the registrant's last fiscal half-year (the registrant's second fiscal half-year in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant's internal control over financial reporting.

Item 10. Exhibits.

(a) File the exhibits listed below as part of this Form.

(a)(2) A separate certification for each principal executive and principal financial officer of the registrant as required by Rule 30a-2(a) under the Act (17 CFR 270.30a-2(a)), exactly as set forth below:

Certifications

I, [identify the certifying individual], certify that:

1. I have reviewed this report on Form N-CSR of [identify registrant];

2. Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this report;

3. Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respects the financial condition, results of operations, changes in net assets, and cash flows (if the financial statements are required to include a statement of cash flows) of the registrant as of, and for, the periods presented in this report;

4. The registrant's other certifying officer(s) and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Rule 30a-3(c) under the Investment Company Act of 1940) and internal control over financial reporting (as defined in Rule 30a-3(d) under the Investment Company Act of 1940) for the registrant and have:

(a) Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this report is being prepared;

(b) Designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles;

(c) Evaluated the effectiveness of the registrant's disclosure controls and procedures and presented in this report our conclusions about the effectiveness of the disclosure controls and procedures, as of a date within 90 days prior to the filing date of this report based on such evaluation; and

(d) Disclosed in this report any change in the registrant's internal control over financial reporting that occurred during the registrant's most recent fiscal half-year (the registrant's second fiscal half-year in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant's internal control over financial reporting; and

5. The registrant's other certifying officer(s) and I have disclosed to the registrant's auditors and the audit committee of the registrant's board of directors (or persons performing the equivalent functions):

(a) All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the registrant's ability to record, process, summarize, and report financial information; andStart Printed Page 36673

(b) Any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant's internal control over financial reporting.

Date:

[Signature]

[Title]

(b) If the report is filed under Section 13(a) or 15(d) of the Exchange Act, provide the certifications required by Rule 30a-2(b) under the Act (17 CFR 270.30a-2(b)), Rule 13a-14(b) or Rule 15d-14(b) under the Exchange Act (17 CFR 240.13a-14(b) or 240.15d-14(b)), and Section 1350 of Chapter 63 of Title 18 of the United States Code (18 U.S.C. 1350) as an exhibit. A certification furnished pursuant to this paragraph will not be deemed “filed” for purposes of Section 18 of the Exchange Act (15 U.S.C. 78r), or otherwise subject to the liability of that section. Such certification will not be deemed to be incorporated by reference into any filing under the Securities Act of 1933 or the Exchange Act, except to the extent that the registrant specifically incorporates it by reference.

Instruction to Item 10.

Letter or number the exhibits in the sequence that they appear in this item.

Footnotes