Control issues

Deficiency may not be a four-letter word, but since the arrival of Sarbanes-Oxley, it may seem that way to many corporate executives dealing with intensive reporting requirements. Sections 302 and 404 have caused frustration and angst for many public company officials. The dust has settled on the first round of Sox filings, and second-year reports are still coming in, but there remain concerns when a situation arises requiring disclosure of a weakness or deficiency.

‘There are always strong concerns from management about what is disclosed, the veracity of what is disclosed and the timing of disclosure, particularly with something that can be viewed as negative,’ says Chet Hosch, a partner at Shreeder, Wheeler & Flint. ‘But as far as Sox reporting goes, this may lessen in time as it’s clear what happened in cases such as Enron or WorldCom wasn’t as widespread as initially feared.’

Prior to the appearance of Sox, a company’s primary focus was on disclosing accurate numbers. But in today’s climate, the process by which a company compiles data is nearly as important as the actual data.

As the business and auditing communities grow more accustomed to Sox requirements, disclosures of material weakness have declined. A study by Moody’s Investors Service reviewed the second-year internal control reports for calendar year-end companies. The report finds that only 75 have reported a material weakness, compared to 117 filed for 2004, the first full post-Sox reporting year for large companies.

While the number of reported 404 deficiencies may be down, problems remain in other areas. Consider the situation where a company reports effective controls under Section 302 but at the same time reports material weakness in the internal controls under Section 404, or vice versa.

Different requirements

The situation seems incongruous, but the reason it exists is that there are distinct differences – and ambiguities – between the provisions. While Sections 302 and 404 both review a company’s internal controls, their requirements are very different.

Under Section 302, the CEO and CFO must evaluate the company’s internal controls on a quarterly basis and certify that they are sufficient to reveal material problems in the company’s finances. No verifying documents are required for the attestation.

However, the annual review under Section 404 requires management to verify the internal controls over financial reporting, provide supporting documentation and have these results verified by an independent auditor. The reports filed pursuant to the two sections are not always congruent.

‘Section 302 deals primarily with the mechanisms and procedures that are in place for the timely disclosure of information,’ says Hosch. ‘On the other hand, 404 actually looks to validate the financial information. It goes to the very nature of what financial reporting is all about – whether the underlying information is accurate.’

The question has been raised whether a weakness or deficiency reported under Section 404 should be indicated in prior Section 302 reports. Are companies being thorough in evaluating their internal controls for Section 302?

A study by Lord & Benoit, a Sarbanes-Oxley research and compliance firm, evaluated financial reporting statements filed through February 2006. In the first year under Sox, 586 companies reported ineffective internal controls under Section 404. However, when each company’s previous year Section 302 reports were reviewed, only 47 of those 586 companies reported ineffective controls under Section 302. In the quarter previous to the adverse filing, only 75 of the 586 companies reported ineffective controls.

The study further indicates that as of March 2006, 3,894 Section 404 opinions had been filed by SEC registrants (fiscal year-end prior to November 15, 2005). Of the disclosures filed, 16.2 percent had been found to have ineffective internal controls by the independent auditor.

One of the cited contributing factors to the adverse filings was ineffective accounting personnel. This was a factor in more mid-level companies, possibly because large companies have the advantage of greater financial resources to invest in the personnel and systems needed to ensure compliance.

One fact noted in the study: 51 percent of the companies reporting ineffective controls had revenues under $250 million. ‘These are the companies in the public eye that have the highest risk,’ says David Richards, president of the Institute of Internal Auditors. ‘They’re in growth and building mode and under the most marketplace pressure to demonstrate a continuous positive financial direction.’

While reports of deficiencies decreased, restatements have risen. In 2004, 7 percent of filers issued restatements in 2004, and that number increased to 14 percent in 2005.

Straight and narrow

Sox has its share of critics, many of whom point to the independent audit requirement as an overly burdensome requirement bringing excessive costs. But while the SEC evaluates the independent audit requirement for small-cap companies, some believe it may be what is keeping many businesses on the straight and narrow.

While the SEC has delayed the audit requirements for small companies, Canada recently did away with their independent audit requirement. While most Canadian companies support the corporate governance efforts, the audit requirement was deemed too costly to the smaller companies primarily affected.

In reviewing the reports of US companies and noting the number of those reporting deficiencies after the independent audit, the Lord & Benoit report went so far as to suggest that the additional independent review may be the catalyst behind companies making a disclosure they may not have done voluntarily. ‘When you look at the statistics, they do raise a question,’ Richards says. ‘A very large proportion of companies were filing 302s saying there were no problems. Then at the end of the year, there’s suddenly a major deficiency. It seems very unlikely that the problem suddenly came about in the last quarter of the year.’

But experts say that out of the hundreds or thousands of internal controls evaluated, any number of factors can affect the outcome for reporting purposes. Because the SEC has left the definition of ‘internal controls’ somewhat vague, operational and financial processes in any number of areas such as information technology, environmental compliance and human resources are subject to review.

‘A deficiency could be caused by something as simple as, for example, modifying the way material is pulled together when a new financial system is implemented,’ says Tricia Martin, a senior director with Callaway Partners. ‘These kinds of changes in financial operations can easily cause a retest and uncover issues not previously in existence.’

Pressure on auditors

In addition to the demand for companies to have favorable reports, the new rules have increased the pressure on auditors. ‘Whenever you bring personal liability for the auditor into play, the need for additional scrutiny becomes obvious,’ says Frank Scheuerell, Callaway’s partner in charge of financial reporting services. ‘And if there is not a strong control environment, the auditors are going to have to do more audit work to be satisfied with the disclosures.’

Criticism has been leveled at the SEC as well as the Public Company Accounting Oversight Board (PCAOB) for a lack of guidance to auditors for applying PCAOB standards and in defining material weaknesses. In not having clear definitions, critics say, the cost of compliance will continue to be excessive because companies cannot be certain exactly what they need to do and as a result do too much.

But companies are looking to conserve compliance costs in other ways. The decreasing number of companies filing reports of deficiency may indicate a streamlining of processes by auditors and compliance managers. ‘In the beginning, companies were overreacting and auditors were going along with management, basically saying, If you want to check that many things, that’s fine,’ says Richards. ‘But now they’re working closer in defining the key controls. Over a period of time they’ll reduce the number of those down to just the meaningful controls, making the audit process much quicker.’

A one-off material weakness filing may not significantly affect market value, but consecutive filings may indicate a lack of willingness or ability to rectify problems and will cause considerable stock depreciation.

‘There was a lot of apprehension at first about how the marketplace would react to disclosure of a material weakness or deficiency,’ says Scheuerell. ‘Most companies normally file their 10K detailing the issues and a remediation plan, which gives a certain level of confidence to the market.’

‘When it’s viewed in context – management did their job, made a disclosure, fixed it and there’s no harm – the marketplace may generally see that as a positive and not a negative,’ agrees Richards. ‘So from that standpoint, it actually offers a greater level of reliance on management’s oversight of the environment in which financial statements are being prepared.’

While many reported deficiencies are unavoidable, Richards says companies should test their internal controls throughout the year to avoid surprises during the annual review. Management should confirm their controls are in place on a quarterly basis. ‘That gives some positive evidence to support the fact that key controls are being monitored and evidence is being collected and reviewed. It also identifies problems early,’ he says.

‘It’s been a couple of years and the accounting industry has had the opportunity to get their arms around Sox,’ Hosch concludes. ‘They’ve also addressed the needs relating to 302 and 404, and we’ve begun crafting procedures that seem to be consistent with congressional intent. So while there’s always a risk of misinterpreting, the industry seems to finally be developing a game plan to further the goals of the legislation.’