APPENDIX B
Draft Interview Questions - Issuers
Opening Remarks for Interviewer
Introduction: Welcome interviewee and introduce interviewers
Background: Provide brief background on study
Thank interviewee for participating
Cover administrative details:
Before we get started, we need to cover just a few points regarding this discussion
First, although for the most part we’ll be asking you questions about your experiences with Section 404 reporting, it is important to note that to the extent you hear anything that sounds like we are expressing a particular view, that they would be our own views and do not necessarily represent the views of the staff on the Commission or the Commission itself.
Also, we will be taking notes during the meeting to be sure we recall the important information that you share with us.
Finally, as you know, your participation in this meeting and therefore in responding to any particular question is voluntary.
Confidentiality Statement: The purpose of this interview is to gather information for use by SEC staff relating to its evaluation of the consequences of rules relating to Section 404 of the Sarbanes-Oxley Act. There is no other intended purpose. The SEC will seek to keep confidential to the extent allowable under applicable laws (i) the identity of all interviewees and (ii) any data which would identify the interviewee. Interview responses that do not identify the interviewee and the various aggregate statistical findings of the study may be made public by the SEC or its staff.
Other Notes:
Interviewers will have relevant 404-related publicly available information for the company.
Interviewees may request questions in advance of the interview.
Questions for Issuer Representatives (CFO, CEO, etc.)
Individual Background/Demographic
Could you please describe your role at the company?
What is your role in your company’s ICFR assessment process?
How long have you been with the company?
Company Demographic
What best describes your company’s organizational structure? (For example, decentralized, centralized, etc.)
Approximately how many lines of business and locations does your company operate in?
Were any material weaknesses identified and disclosed as a result of management’s assessment in either 2006 or 2007?
Management’s Assessment
Did your company utilize the SEC’s management guidance in its ICFR assessment process?
How familiar are you with the SEC’s management guidance?
Next, we would like to explore with you some more specific details regarding your experiences with management’s evaluation process:
Does your company track the effort required to conduct management’s ICFR assessment?
If so, please explain how it is tracked (e.g. company tracks number of employees involved, hours, etc.).
What is your estimate of the approximate effort involved in 2006 and 2007?
If not, can you provide an estimate of the effort involved in both 2006 and 2007?
How confident are you in these estimates?
Does your company have an internal audit group (or group that operates with a similar function)?
If so, please describe the role, if any that this group had in management’s assessment process in 2006?
Did the role change in 2007? (if applicable)
Did your company contract with outside consultants to assist with the ICFR assessment in 2006?
If so, can you describe the nature of the assistance provided by the consultants? For example, did they provide:
Overall project management assistance?
Identification of risks and controls?
Testing/gathering evidence?
Evaluation of deficiencies?
IT considerations?
Additional support for management?
External audit support?
Did your use of outside consultants change in 2007? (if applicable)
If so, how?
Please briefly describe the process management undertook to evaluate the effectiveness of ICFR in 2006? For example, how did it go about identifying the relevant risks, accounts and controls that were important to its conclusion?
Did the company make any meaningful changes in the ICFR process for 2007?
To what degree did the company’s assessment process consider the following?
Coordination with the external auditor
The role of entity-level controls, such as “tone at the top” and monitoring controls
The level of evidence gathered from directly testing internal controls (via internal audit, consultants, or management)
The level of evidence gathered from management’s self-assessment of the effectiveness of its controls
The number of risks, processes, accounts, controls, and locations included in the assessment
The manner in which the company considered entity-level controls
The level of documentation maintained in support of the assessment
The nature, timing and extent of evidence gathered
Did this change in 2007 (if applicable)?
Have any aspects of management’s ICFR evaluation been particularly time consuming or challenging? (If yes, please explain what those areas are)
Did this change in 2007? (if applicable)
Relationship with External Auditor
Does your external audit firm breakout the fees (and/or hours) for the ICFR audit from total audit fees (and/or hours)?
If so, what were the ICFR-related fees (hours) for 2006 and 2007?
If not, can you estimate the ICFR-related fees (hours) for 2006 and 2007?
What were the influential factors that contributed to changes in total audit fees from 2006 to 2007?
For example, did your company have any significant acquisitions or divestitures? Were there any accounting pronouncements that had a significant impact on audit effort in any of the two years?
Did your company have discussions with the external auditor regarding the impact AS No. 5 would have on the overall audit effort?
If so, can you describe the impact on effort and, if possible, fees?
Did your auditor perform an integrated audit in 2007 (i.e. audit the effectiveness of the company’s internal control over financial reporting in addition to the audit of the financial statements)?
If yes, were there any significant changes in the scope of the audit from the prior year as a result of AS No. 5 replacing AS No. 2 or otherwise (assuming an audit of ICFR was conducted in the prior year)?
For example, were there any significant changes in the number of significant accounts included in the assessment, the number of walkthroughs performed, the number of controls reviewed or the number of locations included?
What was the impact of the above changes on the overall audit effort?
Did the ICFR audit appear more risk focused as compared to the prior year?
Specifically, did it appear that the auditor’s approach and effort was more focused on the riskier areas?
Did their level of effort appear to vary in areas of lower risk than in higher risk areas?
Did the external auditor use the work of others (e.g. internal audit or similar function) to a greater extent in the current year audit as compared to prior year?
What was the reason behind the change?
For example, was it in response to AS 5, changes in the risk associated with particular areas, or changes in the manner in which your company conducted its assessment?
In your opinion, did the auditor rely on management to an appropriate extent? If no, please explain.
Benefits of Section 404
Overall
First, we would like to talk about the benefits you may have seen as a result of Section 404 reporting.
Do you have more confidence in the accuracy of the company’s financial reporting as a result of the ICFR evaluation process? (Please explain)
Has there been an impact on the company’s system of internal controls, such as within the financial reporting process? (Ask to describe why or why not for each)
For example,
Has it made the financial reporting process more efficient?
Has the company strengthened controls with the implementation of 404?
Has it provided employees with a better understanding of the financial reporting process and the importance of their roles in the company’s system of internal control?
Has it provided the audit committee, management, and/or employees with a better understanding of the risks related to your company’s financial reporting?
Do you believe the ICFR management evaluation process has resulted in an increased ability of the company to prevent and detect misstatement due to fraud or error? (Ask to describe why or why not? If they indicate it has, then ask to what degree)
Has the requirement to have an external audit of ICFR (if applicable) had any specific impact on your responses to the previous questions? (If so, please explain. And, if they indicate it has, then ask to what degree)
Interaction with Auditor
Has the 404 process improved the interaction between management and the auditor? For example:
Has the amount or quality of the time spent with the external auditor improved?
Do you and the auditor have a better mutual understanding of control weaknesses, including significant deficiencies and material weaknesses?
Has management’s ICFR evaluation process provided you with any additional perspective on the quality of the audit? (Please explain)
Other
Do you have any perspective on whether Section 404 has had an impact on your company’s cost of capital? (Please explain. And, if they indicate it has, then ask to what degree)
Please describe the feedback from investors/customers/vendors/lenders on their reactions to or their views on your company’s reporting on the effectiveness of ICFR.
Concluding Question
Are there any other issues related to 404 we have not covered that you would like to discuss?
Remarks for Interviewer
Introduction: Welcome interviewee and introduce interviewers
Background: Provide brief background on study
Thank interviewee for participating
Cover administrative details
Before we get started, we need to cover just a few points regarding this discussion
First, although for the most part we’ll be asking you questions about your experiences with Section 404 reporting, it is important to note that to the extent you hear anything that sounds like we are expressing a particular view, that they are our own views and do not necessarily represent the views of the staff on the Commission or the Commission itself.
Also, we will be taking notes during the meeting to be sure we recall the important information that you share with us.
Finally, as you know, your participation in this meeting and therefore responding to any particular question is voluntary.
Confidentiality Statement: The purpose of this interview is to gather information for use by SEC staff relating to its evaluation of the consequences of rules relating to Section 404 of the Sarbanes-Oxley Act. There is no other intended purpose. The SEC will seek to keep confidential to the extent allowable under applicable laws (i) the identity of all interviewees and (ii) any data which would identify the interviewee. Interview responses that do not identify the interviewee and the various aggregate statistical findings of the study may be made public by the SEC or its staff.
Other Notes:
Interviewers will have relevant 404-related publicly available information for the company.
Interviewees may request questions in advance of the interview.
Questions for Audit Committee Members
Member Background
How long have you been a member of the Board?
How long have you been on the Audit Committee?
Please describe your role on the audit committee?
Are you the chairman, the financial expert, etc.?
Do you serve (or have you served) on the board of any other public companies?
Do you (or have you served) on the audit committee for any of these?
Company Demographic
What best describes your company’s organizational structure? (For example, decentralized, centralized, etc.)
Approximately how many lines of business and locations does your company operate in?
Were any material weaknesses identified and disclosed as a result of management’s assessment in either 2006 or 2007?
Benefits of Section 404
Overall
First, we would like to talk about any benefits you have seen as a result of Section 404 reporting for (“named”) company.
Do you have more confidence in the accuracy of the company’s financial reporting as a result of the ICFR evaluation process? (Please explain. And, if so, please describe to what degree.)
Has the ICFR process had an impact on the company’s system of internal controls? For example, (ask to describe why or why not for each):
Has it made the financial reporting process more efficient? (If so, please explain to what degree)
Has the company improved controls within the financial reporting process with the implementation of 404?
How has the ICFR process impacted your financial reporting oversight responsibilities? For example:
Has it provided you with a better understanding of the financial reporting process? (If so, please explain to what degree)
Do you have a better understanding of the risks related to your company’s financial reporting? (If so, please explain to what degree)
Do you believe the ICFR evaluation process has resulted in an increased ability of the company to prevent and detect misstatement due to fraud? (If so, please explain to what degree)
Do you believe the ICFR evaluation process has resulted in an increased ability of the company to prevent and detect material misstatement due to error? (If so, please explain to what degree)
Has the requirement to have an external audit of ICFR (if applicable) had any specific impact on your responses to the previous questions? (If so, please explain)
Interaction with Auditor
As you know, SOX increased the responsibility of audit committees with regards to oversight of the external audit.
Has the increased involvement with the auditor been beneficial?
(Please explain)
Has the 404 process improved the interaction between the audit committee and the auditor? For example:
Do you have a better understanding of the audit process and decisions auditors make in the conduct of the audit?
Has the amount or quality of the time spent with the external auditor improved?
Do you and the auditor have a better mutual understanding of control weaknesses, including significant deficiencies and material weaknesses?
Other
Do you have any perspective on the impact of Section 404 on the company’s cost of capital? (If so, please explain to what degree)
Please describe the feedback from investors/customers/vendors/lenders on their reactions to or their views on your company’s reporting on the effectiveness of ICFR.
Relationship with External Auditor
Does your external audit firm breakout the fees (and/or hours) for the ICFR audit from total audit fees (and/or hours)?
If so, what were the ICFR-related fees (hours) for 2006 and 2007?
If not, can you estimate the ICFR-related fees (hours) for 2006 and 2007?
What were the influential factors that contributed to changes in total audit fees from 2006 to 2007?
For example, did your company have any significant acquisitions or divestitures? Were there any accounting pronouncements that had a significant impact on audit effort in any of the two years?
Did you have discussions with the external auditor regarding the impact of AS No. 5 (which replaced AS No. 2) on the overall audit effort?
If so, can you describe the impact on effort and, if possible, fees?
Did your auditor perform an integrated audit in 2007 (i.e. audit the effectiveness of the company’s internal control over financial reporting in addition to the audit of the financial statements)?
If yes, were there any significant changes in the scope of the audit from the prior year (assuming an audit of ICFR was conducted in the prior year)?
For example, were there any significant changes in the number of significant accounts included in the assessment, the number of walkthroughs performed, the number of processes, accounts or controls reviewed or the number of locations included?
What was the impact of the above changes on the overall audit effort?
Did the ICFR audit appear more risk focused as compared to the prior year?
Specifically, did it appear that the auditor’s approach and effort was more focused on the riskier areas?
Did their level of effort appear to vary in areas of lower risk than in higher risk areas?
Did the external auditor use the work of others (e.g. internal audit or similar function) to a greater extent in the current year audit as compared to prior year?
What was the reason behind the change?
For example, was it in response to AS 5, changes in the risk associated with particular areas, or changes in the manner in which your company conducted its assessment?
Management’s Assessment
Did the management of your company utilize the SEC’s management guidance in its assessment process for 2007?
How familiar are you with the SEC’s management guidance for conducting an ICFR assessment?
Please explain your level of involvement in management’s ICFR evaluation process? (this question will impact the additional questions below)
Next, we would like to explore with you some more specific details regarding your experiences with management’s ICFR evaluation process:
Does your company track the effort required to conduct management’s ICFR assessment?
If so, please explain how it is tracked (e.g. company tracks number of employees involved, hours, etc.).
What is your estimate of the approximate effort involved in 2006 and 2007?
If not, can you provide an estimate of the effort involved in both 2006 and 2007?
How confident are you in these estimates?
Does your company have an internal audit group (or group that operates with a similar function)?
If so, please describe the role, if any this group had in management’s assessment process in 2006?
Did the role change in 2007? (if applicable)
Did your company contract with outside consultants to assist with management’s ICFR assessment in 2006?
If so, can you describe the nature of the assistance provided by the consultants? For example, did they provide:
Overall project management assistance?
Identification of risks and controls?
Testing/gathering evidence?
Evaluation of deficiencies?
IT considerations?
Additional support for management?
External audit support?
Did your use of outside consultants change in 2007? (if applicable)
If so, how?
Please briefly describe the process management undertook to evaluate the effectiveness ICFR in 2006? For example, how did it go about identifying the relevant risks, accounts and controls that were important to its conclusion?
Did the company make any meaningful changes in management’s ICFR assessment process for 2007?
To what degree did the company’s assessment process consider the following?
Coordination with the external auditor
Entity-level controls, such as “tone at the top” and monitoring controls
The level of evidence gathered from directly testing internal controls (via internal audit, consultants, or management)
The level of evidence gathered from management’s self-assessment of the effectiveness of its controls
The number of risks, controls, and locations included in the assessment
The manner in which the company considered entity-level controls
The level of documentation maintained in support of the assessment
The nature, timing and extent of evidence gathered
Did this change in 2007 (if applicable)?
Have any aspects of management’s ICFR evaluation been particularly time consuming or challenging?
Did this change in 2007? (if applicable)
Other 404-Related Board and Audit Experiences
In regards to the public companies that you serve (served) on the board (and audit committee) post-SOX, are (were) these companies accelerated or non-accelerated filers?
How has SOX Section 404 reporting affected these companies?
For example, has your experience with 404 differed for these companies (as compared to “named” company)?
(Please explain)
Have there been any differences in your audit experiences (i.e., under 404(b)) for these companies (as compared to “named” company)?
(Please explain)
Have you served or do you serve on the board and/or audit committee of any non-public companies or not-for-profit enterprises?
Has any of this service been post-SOX?
If so, how has Section 404 affected these companies or enterprises?
Concluding Question
Are there any other issues related to 404 we have not covered that you would like to discuss?
| File Type | application/msword |
| File Title | • |
| Author | croteaub |
| Last Modified By | crawleyp |
| File Modified | 2008-04-10 |
| File Created | 2008-04-10 |