4310.1 S-K 308(a) requires management to provide its report on ICFR containing its assessment of the effectiveness of ICFR as of the end of the most recent fiscal year in its annual report on Form 10-K, 20-F, or 40-F (including transition reports filed on such forms upon a change in fiscal year-end). If the registrant is a non-EGC accelerated filer or a large accelerated filer, S-K 308(b) requires management to provide the registered public accounting firm's attestation report on the registrant's ICFR. Filings without the required report or reports are deficient and considered not timely, except for the limited situation described in Section 4310.6 below. Non-accelerated filers (both domestic and foreign) and EGCs (both domestic and foreign) are not required to include an auditor attestation report under S-K 308(b).

NOTE: Management's report on ICFR and the accompanying attestation report are not required in registration statements (whether under the 1933 Act or 1934 Act) or Forms 11-K. (Last updated: 6/30/2013)

4310.2 A non-EGC that enters accelerated filer status at the end of a fiscal year (based upon its public float as of the end of its second fiscal quarter) is required to include an auditor attestation report in the Form 10-K for that year. Similarly, a company that exits accelerated filer status at the end of its fiscal year (based upon its public float as of the end of its second fiscal quarter) would not be required to include an auditor attestation report in the Form 10-K for that year. (Last updated: 6/30/2013)

4310.3 The staff's Management's Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, Frequently Asked Questions ("ICFR FAQs") is available at http://www.sec.gov/info/accountants/controlfaq.htm.

4310.4 [Reserved]

4310.5 [Reserved]

4310.6 Pursuant to S-K 308, a newly public company need not provide management's report on ICFR until it either had been required to file or had filed a Form 10-K with the Commission for the prior fiscal year. A company that historically reported under the Exchange Act as a voluntary filer or because of registered debt, and therefore filed annual reports up to and through the date of its IPO, in which it was required to comply with the disclosures required by Item 308(a) of Regulation S-K, is therefore required to provide management's report on ICFR in its first annual report following the IPO.

Only "accelerated filers" that are not EGCs and "large accelerated filers" are required to provide an auditor's attestation report on ICFR under Item 308(b) of Regulation S-K. The definitions of "accelerated filer" and "large accelerated filer" require that the issuer has been subject to reporting under Section 13(a) or 15(d) and has filed at least one annual report. Newly public companies and companies that historically reported under the Exchange Act as voluntary filers or because of registered debt do not satisfy the definitions of "accelerated filer" or "large accelerated filer" for purposes of their first annual report following their IPO, and therefore are not required to include an auditor's attestation report on ICFR under S-K 308(b) in that first annual report.

A registrant should include a statement in its first annual report in substantially the following form:

"This annual report does not include a report of management's assessment regarding internal control over financial reporting or an attestation report of the company's registered public accounting firm due to a transition period established by rules of the Securities and Exchange Commission for newly public companies." [Instruction 1 to S-K 308] (Last updated: 6/30/2013)

4310.7 The framework on which management bases its evaluation of ICFR must be a suitable, recognized control framework. Many companies follow the COSO framework, but other frameworks are also acceptable. In assessing effectiveness, management evaluates whether its ICFR system addresses the elements of internal control that its chosen framework describes as necessary for an internal control system to be effective. There are no specifically required methods or procedures for evaluating ICFR, so it will vary from company to company. Management will have to use its best judgment. The evaluation must be based on procedures sufficient to evaluate both the design and operating effectiveness of ICFR. In June 2007, the SEC issued interpretative guidance regarding management's report on ICFR. [Release No. 33-8810] An evaluation following this interpretative guidance is one way to satisfy the evaluation requirements of ICFR.

Under any method of evaluating ICFR, management must attain a level of "reasonable assurance" when making conclusions about the effectiveness of ICFR. While "reasonable assurance" is a high level of assurance, it does not mean absolute assurance. The term "reasonable assurance" relates to similar language in the Foreign Corrupt Practices Act. 1934 Act Section 13(b)(7) defines "reasonable assurance" as the degree of assurance that would satisfy prudent officials in the conduct of their own affairs. There is a range of judgments that an issuer might make as to what is reasonable in implementing SOX 404 and the SEC's rules.

4310.8 S-K 308 does not specify the exact content of management's annual report on ICFR. Management should tailor the wording of the report to fit its company's particular circumstances. However, management's annual report on ICFR must state or disclose the following:

4310.9 Management must reach one of two conclusions for its assessment of ICFR — ICFR is either effective or not effective. Management cannot conclude that its ICFR is effective if there are one or more material weaknesses. Additionally, management cannot qualify its conclusion by stating that its ICFR is effective with certain qualifications or exceptions. However, management may state that its controls are ineffective for specific reasons. Because of the substantial overlap between ICFR and DCP, if management concludes that ICFR is ineffective, it must also consider the impact of the material weakness on its conclusions related to DCP. (Last updated: 9/30/2010)

4310.10 In certain circumstances, management may encounter difficulty in assessing certain aspects of ICFR. Management must still conclude whether ICFR is effective or not since management is not permitted to issue a report with a scope limitation (except under the limited circumstances described in Section 4310.11). Therefore, management must determine whether an inability to assess certain aspects of ICFR is significant enough to conclude that ICFR is not effective.

4310.11 If management does not have the ability to assess certain aspects of ICFR, management must conclude whether ICFR is effective or not, taking into consideration any scope limitation. Scope limitations are not permitted in management's report, except for the following limited exceptions (see 4310.3 for link to FAQs referenced):

For foreign private issuers who file their financial statements in their home country GAAP, management's evaluation of ICFR should consider, in addition to controls related to preparation of the primary financial statements, controls related to the preparation of the U.S. GAAP reconciliation because the reconciliation is a required element of the financial statements. [ICFR FAQ 12] (Last updated: 9/30/2010)

4310.12 Management should consider disclosing the following with respect to a material weakness:

4310.13 Management must communicate all significant deficiencies and material weaknesses it detects to the audit committee and external auditor. The SOX 302 certifications include an affirmative statement to this effect. Management must also provide written representations to the auditor regarding its internal controls.

4310.14 S-K 308 does not specify where management's internal control report must appear in the annual report on Form 10-K, but it should be located in close proximity to the corresponding attestation report issued by the company's auditor. [Release No. 33-8238] Management's report is not required to have a title. Management's report does not need to be dated or signed, but may include the date and/or the names or signatures of management.

4310.15 Our rules do not address whether the assessment of ICFR covers supplementary financial information, Regulation S-X schedules, or ASC 932 oil and gas disclosures. Internal controls over supplementary information do not need to be included in an assessment of ICFR, although adequate internal controls over the preparation of supplementary information are required. [ICFR FAQ 11]

4310.16 There is no requirement for a company to reevaluate the effectiveness of its internal controls and/or reissue a revised management's report on ICFR when a company restates its financial statements to correct errors in the financial statements. However, a company may need to consider whether or not its original disclosures in management's report continue to be appropriate in light of these errors, and should modify or supplement its original disclosure to include any other material information that is necessary for such disclosures not to be misleading in light of the restatement. The company should also disclose any material changes to ICFR, as required by S-K 308(c).

4310.17 If a company's management concludes that its original assessment of ICFR was incorrect, it should consider whether or not to revise its original report on ICFR. A company should also reevaluate the appropriateness of its prior disclosures regarding the effectiveness of the company's DCP and make any necessary revisions. For example, a company disclosed that its Chief Financial Officer and Chief Executive Officer concluded its DCP were effective in its original Form 10-K. Subsequently, the company filed a Form 10-K/A to restate its financial statements for errors. In the Form 10-K/A, the company revised its disclosures to state that the Chief Financial Officer and Chief Executive Officer concluded its DCP were not effective, and the reasons why they were not effective.