CONFIDENTIAL TREATMENT OF
CERTAIN DESIGNATED
PORTIONS OF THIS LETTER HAS
BEEN REQUESTED BY MORGAN
STANLEY. SUCH CONFIDENTIAL
PORTIONS HAVE BEEN
OMITTED, AS INDICATED BY [*]
IN THE TEXT, AND SUBMITTED
TO THE COMMISSION.
October 15, 2013
By U.S. Mail & Facsimile to (703) 813-6987
Mr. Kevin W. Vaughn
Accounting Branch Chief
Division of Corporation Finance
Securities and Exchange Commission
100 F Street, N.E.
Mail Stop 4561
Washington, DC 20549
| Re: | Morgan Stanley |
| Form 10-K for Fiscal Year Ended December 31, 2012 |
| Filed February 26, 2013 |
| File No. 001-11758 |
Dear Mr. Vaughn:
Morgan Stanley (the “Company”) is providing to the staff (the “Staff”) of the Securities and Exchange Commission (the “Commission”) an additional supplement (the “Supplemental Letter II”) to its letter dated September 10, 2013 (the “Supplemental Letter”) and to its original response letter, dated August 15, 2013 (the “August 15 Response Letter”), which responded to the Staff’s comment letter dated August 2, 2013 to Ms. Ruth Porat, the Company’s Executive Vice President and Chief Financial Officer.
The Company would like to enhance its Supplemental Letter and August 15 Response Letter with the following additional information.
1
As noted in the Company’s August 15 Response Letter, the Company has an established process to assess risks related to its objective of ensuring reliable published financial statements and an internal control environment designed to address these risks through entity and business level controls, which include specific disclosure and financial statement close process controls. The Company’s program pursuant to Section 404 of the Sarbanes-Oxley Act (the “SOX Program”) was described in detail in both its August 15 and July 24, 2013 Response Letters. The SOX Program is dynamic, incorporating the five pillars set forth by the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) inInternal Control-Integrated Framework (1992). The Company believes those pillars are both comprehensive and interdependent, and in order for the SOX Program to be effective, it must incorporate these aspects. As described below, the Company’s year-end analysis of all identified deficiencies includes a review to determine pervasiveness of deficiencies as they relate to the five COSO pillars and is designed to determine whether significant deficiencies or material weaknesses exist in any of the COSO pillars or other general themes. The Company’s approach to Risk Assessment and Monitoring Activities is described below.
Risk Assessment
Based on its established and communicated risk and control objectives, the Company is continually assessing its risk profile to ensure that it is addressing risk adequately and in a timely manner. The Company has in place a formal risk assessment process utilizing a firmwide, standardized risk and control taxonomy based on various factors including, but not limited to:
| • | Fraud |
| • | Clients Profiles, Product Complexity and Business Practices |
| • | Business Disruption and Systems Failures |
| • | Execution, Delivery and Process Management |
The process is designed to identify risks to the organization and the corresponding controls, which have been established to mitigate risks related to internal controls over financial reporting. Results of the risk assessment process are communicated to senior management responsible for identifying and implementing a control structure designed to ensure the risk profile is in line with established standards and objectives.
[*]
2
[*]
[*]
[*]
These aspects of risk assessment are intended to provide a basis for evaluating changes that could significantly impact the system of internal controls over financial reporting.
Monitoring Activities
Based on the various risk assessment activities described above, the Company has implemented a series of independent control evaluations (i.e., Monitoring Activities) by the SOX Group and the Internal Audit Department aimed at identifying deficiencies in the design adequacy and/or operating effectiveness of controls established to mitigate risk associated with financial reporting.
[*]
[*]
| • | [*] |
| • | [*] |
3
| • | [*] |
| • | [*] |
Information obtained from the Monitoring Activities described above is a significant source of information that is utilized in the Company’s continual risk assessment process (i.e., identified deficiencies prompt immediate review of the current risk profile and update to the control environment).
Analysis of Identified Deficiencies
The Company performed a thorough analysis of all identified deficiencies that resulted from the monitoring activities noted above. The analysis included review of a number of reference publications including PCAOB Auditing Standard 5, SEC Commission Publications defining the terms Significant Deficiency and Material Weakness and the COSOInternal Control-Integrated Framework (1992).
[*]
[*]
In evaluating these Risk Assessment and Monitoring Activities deficiencies, the Company looked to preventive and detective controls, close process entity level controls and/or other monitoring activities to ensure that the risk of control failure or misstatement of financial reporting elements was remote.
4
[*]
Conclusion
[*] Accordingly, the Company believes, after consideration of all relevant factors and information that the overall design and operation of its control framework established to meet the COSO requirements for financial reporting was effective and the Company’s Risk Assessment process and related ongoing Monitoring Activities were functioning as intended for the periods ending December 31, 2011 and 2012.
5
* * * * *
In connection with responding to the Staff’s comments with this Supplemental Letter II, the Supplemental Letter and the Company’s August 15 Response Letter, we acknowledge that:
| • | the Company is responsible for the adequacy and accuracy of the disclosure in the filings; |
| • | Staff comments or changes to disclosure in response to Staff comments do not foreclose the Commission from taking any action with respect to the filings; and |
| • | the Company may not assert Staff comments as a defense in any proceeding initiated by the Commission or any person under the federal securities law of the United States. |
Please feel free to contact me at (212) 761-6686 if you would like further clarification or additional information.
| Sincerely, |
| /s/ Paul C. Wirth |
Paul C. Wirth Deputy Chief Financial Officer |
| cc: | Ruth Porat, Executive Vice President and Chief Financial Officer |
Jeffrey M. Kottkamp, Deloitte & Touche LLP
James V. Schnurr, Deloitte & Touche LLP
Yolanda Trotter, Securities and Exchange Commission
6