92 Internal Control Disclosures In August

SECTION 404

The August Data

View The Actual Internal Control Disclosures From August

View Sample Disclosures Of Remediation Efforts From August

According to a review of regulatory filings during the month of August, 92 companies disclosed material weaknesses or significant deficiencies in internal controls, or provided material updates on the status of their control-improvement processes.

Though more than one-quarter of those disclosures were from companies making control remediation announcements, the number of companies that disclosed new material weaknesses, significant deficiencies or reportable conditions almost doubled from the 36 in July.

The number of August disclosures is the largest monthly number tracked by Compliance Week this year, and most experts believe the numbers will continue to increase over the next few months. That's because, to date, most of the disclosures have come out of Sarbanes-Oxley Section 302 process, not the internal control provisions of Section 404, which is effective in December. SOX 302 requires that company executives certify in periodic reports that, among other things, they have evaluated the effectiveness of their internal controls, and that their conclusions have been presented in the report.

DeLoach

"We're going to start seeing the impact of the [SOX] 404 process," notes James DeLoach, managing director of risk consulting and internal audit firm Protiviti. "And that will start with the approaching quarterly reporting season," he adds, "so I absolutely expect we'll see an increase in the number of companies making these types of disclosures."

DeLoach's prediction is in line with those of Richard Steinberg, a governance expert and co-author of the COSO internal control framework, who told Compliance Week in June that he expected the number of deficiency disclosures to increase this fall. “A large number of companies will be looking closely at their quarterly close processes for the first time at the end of the second [June] quarter,” he predicted, “and we may see an increase in deficiencies as a result.”

Deloitte & Touche Sarbanes-Oxley Internal Control Steering Committee co-chair Steve Wagner also recently told Compliance Week that he expected the volume of disclosures to increase as companies completed remediation and external auditors got involved in the testing effort. "That will start to pick up shortly," said Wagner.

The August disclosures continued a number of trends identified by Compliance Week over the past year.

Most Common Problems

Problems with financial systems and procedures remain the most common types of weaknesses and deficiencies disclosed. In August, 54 percent of the disclosures were related to financial systems and procedures.

MOST COMMON

Typically, problems in this category are related to the financial close process, account reconciliation, or inventory processes. In addition, the problems tend to be similar regardless of company size. $484.9 million RCN, for example, cited "oversight controls over non-routine transactions," while $742.3 million packaging and container manufacturer Constar International noted an "inefficient financial reporting closing process."

The second most frequently cited was related to personnel issues, 27 percent of all disclosures in August.

Personnel-related issues are typically related to poor segregation of duties, inadequate staffing, or related training or supervision problems. In addition, the problems are more common among smaller companies with under $100 million in revenue.

$36.9 million MatchNet, for example, cited a reportable condition stemming from the fact that the company did "not have a sufficient amount or type of staff in the financial, accounting and external reporting areas, including a Controller and a Chief Financial Officer..." $15 million regional banking firm Bay View Capital similarly cited "insufficient qualified accounting personnel to identify and resolve complex accounting issues on a timely basis and lack of appropriate resources resulting in insufficient supervision and review of the financial reporting process."

As was the case with prior months, it was common for companies to disclose multiple "types" of problems; in other words, they disclosed problems with, for example, certain financial procedures and personnel-related training. $120.8 million collectibles and commemorative products company Zindart, for example, identified a variety of problems, from poor documentation and non-integrated accounting systems, to the inconsistent application of accounting estimates and untimely computation of current and deferred tax liabilities.

COMPANY SIZE

Similarly, it was common for companies to have multiple problems of the same "type." For example, $11.9 million graphics and publishing software company Loudeye disclosed multiple problems related to personnel, including "insufficient resources in our finance and accounting functions and an insufficient level of monitoring and oversight." The same was the case at $19.3 million customer relationship management company MAI Systems, which disclosed two personnel-related issues: the lack of segregation of duties, and "insufficient supervision of the Company’s accounting personnel."

Big Disclosures, Small Companies

The majority of internal control weakness and deficiency disclosures continue to come from small companies. In August, 84 percent of the disclosures came from companies with less than $1 billion in 2003 revenue. In July, the number was 71 percent.

In fact, 40 percent of the companies making disclosures in August had 2003 revenues of less than $100 million.

As CW has noted in prior months, the large percentage of small companies disclosing weaknesses and deficiencies is typically due to the fact that their internal controls are less formal than at global organizations, where controls are typically more structured and more rigorously documented.

7 percent of the companies had no discernable revenue, or were holding or "shell" companies for which revenue numbers were insignificant or not reported.

As was the case with prior months, most of the disclosures came from companies with under $1 billion in revenue. In August, only 16 percent of the companies making disclosures had more than $1 billion in revenue. That number is down from 29 percent in July.

Certain Industries More Susceptible?

The largest number of disclosures came from the computer software and services industry, comprising over 20 percent of all disclosures. That's not a surprise, as the industry is relatively young and many of the companies represented were small, with under $100 million in revenue. Companies that fit those criteria tend to have small finance staffs and fewer well-developed or documented controls than mature organizations.

INDUSTRY

Other rapidly developing, technologically focused industries, including telecommunications, semiconductors and biotechnology, also accounted for a large percentage of the August disclosures.

Not represented in the chart at right are industries that accounted for less than 5 percent of the total disclosures. Those industries included—among others—real estate, leisure, automotive and consumer products.

More Detailed Remediation Disclosures

August continued a three-month trend in which companies are providing much greater detail on their internal control improvement and remediation efforts, outlining specific steps the company has taken to improve controls. "Companies are currently required to disclose any change in their internal control over financial reporting," notes Protiviti's DeLoach, "and that would include remediation efforts."

Compliance Week first identified this trend in June; however, the volume of internal control improvement disclosures has increased steadily. Prior to June, most remediation disclosures were relatively brief or vague, generally referring to efforts inside the company without providing great detail.

According to DeLoach, "what we're seeing here is that companies are providing a 'story line' for investors about what they're doing, and what to expect." DeLoach believes this is consistent with Sarbanes-Oxley's transparency mandate, as it can help The Street better understand "the uncertainty that management faces, and what management is doing to get controls ready for prime time."

There were 26 such remediation disclosures in August, comprising 28 percent of all disclosures. For example, on May 10, $138.4 million television group Fisher Communications disclosed deficiencies that included a "lack of an effective monitoring and oversight function." On Aug. 26 the company provided a detailed list of 13 steps the company had taken to improve its internal controls, which included the hiring of numerous financial staffers including an accountant, a controller, a finance vice president, a director of financial planning and analysis, and an "internal control analyst." In June, the company promoted its new finance VP to CFO, and then re-filled the VP position.

$252.9 million Shurgard Storage Centers also provided a step-by-step list of actions taken, utilizing nearly identical language as Fisher Communications: "We assigned the highest priority to the correction of these deficiencies and have taken actions to correct them, including the following..."

Interestingly, some companies, like $14.9 million dairy products company Lifeway Foods, disclosed improvements to their internal controls even though they had never disclosed a reportable condition, material weakness or significant deficiency.

We've provided a list of all companies making remediation disclosures in August, including excerpts and links to the actual filings.

Cost Estimates Articulated

In some of the remediation disclosures mentioned above, Compliance Week found that companies were actually publishing estimated remediation costs.

$562.7 million medical equipment and supply company Sola International, for example, detailed extensive remediation efforts underway and planned for the future, "including expenditures of approximately of $2.5 - $3.5 million anticipated in fiscal 2005." Even so, the company noted that, despite all its efforts, it "may not be able to take all actions required by the March 31, 2005 deadline."

$126.1 million computer software company Red Hat also projected remediation costs. The company, which had disclosed certain weaknesses related to revenue recognition, provided details on its remediation plans, estimating that "the costs will be approximately $500,000 and comprised primarily of additional computer hardware to provide faster processing capability and greater data storage capacity."

Speed To Act, Disclose

Coming on the heels of the new Form 8-K amendments, which were effective Aug. 23, some of the internal control disclosures highlighted the challenges companies will face in disclosing material information under tight deadlines.

$19.3 million customer relationship management company MAI Systems, for example, filed its quarterly report on Aug. 23. But only three days before that, the company's auditor "orally notified" the company's audit committee that significant deficiencies existed in the company's internal controls. The company had only three days to disseminate and analyze the information before disclosing it in the company's next periodic report.

Others demonstrated alacrity in addressing problems. $21.4 billion IT services firm Electronic Data Systems, for example, disclosed an internal control problem on May 14. The company's Aug. 6 quarterly report noted that the company had already addressed the issue, and provided details on how it had done so. As a result of its quick efforts, the filing noted that management "believes the measures implemented in the second quarter of 2004 have adequately addressed this deficiency such that it no longer exists."

The same was the case at $1.3b industrial manufacturer Foamex, which disclosed a reportable condition in May, and provided a complete remediation update three months later.

Certification Warnings And Hints Of Problems

It was also not uncommon for companies to disclose "issues" with internal controls, without specifically stating that a weakness or deficiency existed.

Those types of disclosures, ostensibly hinting at—and warning investors of—future problems, were typified in the Aug. 9 quarterly report of biopharmaceutical company Immtech International. According to the filing, the company "identified certain internal control issues which management believed needed to be improved." The company specifically stated that it "has not identified any

material weakness," but that improvements have already been made to policies, procedures, monitoring and segregation of duties.

Nearly identical language was utilized by $871.5 million oil and gas transportation and storage firm GulfTerra Energy Partners.

$1.1 billion Dreyers Grand Ice Cream Holdings disclosed that it was addressing issues that might become problems in the future, stating that "the Company has identified potential internal control improvements that may be considered future reportable conditions..."

Other companies went so far as to hint at the possibility that they may not be able to meet the SOX 404 deadline. $1.9 billion wireless telecommunications equipment company UTStarcom, for example, disclosed certain material weaknesses, and noted that it was in the midst of a thorough review of its internal controls. Those issues, combined with the fact that the company and its auditor were "currently interpreting compliance requirements under Section 404," meant that the company "cannot be certain that it will be able to comply with the requirements of Section 404 by the December 31, 2004 deadline."

A More Common Risk Factor

Companies continue to internal control issues as a "risk factor" in their MD&A sections, as well. That was the case at $174.3 million semiconductor equipment maker Mattson Technology, which noted that it was reviewing its internal control procedures, and that any required improvements "could be costly to prepare or implement, divert attention of management or finance staff," or cause

operating expenses to increase.

$388.9 million Internet service provider Covad Communications Group also stated in its Risk Factors

section that its prior weaknesses—disclosed in 2002—might become problematic in the future. The company stated that it had modified controls and procedures to address earlier issues, but acknowledged that "some of these procedures and modifications are relatively new and

may still need to be improved."

Numerous other companies, including $209.7 million Lattice Semiconductors and $18.2 million file management software company Bakbone Software, made similar disclosures, noting that there were no assurances that internal control problems would not emerge, or could be completely remediated.

Lawsuits And Other Exclusions

To avoid duplication, Compliance Week's August list does not include disclosures that had been made public in prior months, unless there was a significant and material update.

Telecommunications services company telcoBlue, for example, disclosed problems in a quarterly report filed Aug. 23, but the company had already made our disclosure lists in February and June, and the August disclosure provided no material update. The same was the case at numerous other companies, including Duke Energy, Cadence Design Systems, and $75.9 million LMI Aerospace, which mentioned an internal control weaknesses that had already disclosed in April and May; the company provided no material update, besides saying "instituted certain interim controls."

We also did not include in our list accusations of internal control weaknesses. That was the case with $1.1 billion electric power distributor DPL, whose corporate controller Daniel Thobe informed his superiors that he had "had concerns regarding financial reporting and governance

issues within the DPL Companies." The controller's report, known as Thobe Memorandum, prompted an internal investigation that discovered that three former executives allegedly defrauded the company of $33 million in deferred pay—ultimately leading to a lawsuit seeking disgorgement from the individuals. Though DPL filed an 8-K on Aug. 24 detailing the incident, a formal disclosure of internal control weakness has not yet been made by the company. As a result, DPL is not included in our August list.

Also not included in our list are allegations of internal control weaknesses in disclosures of class action lawsuits. Nine nearly identical complaints filed against $71.6 million health care management software company Quovadx, for example, claimed that the company "lacked adequate

internal controls and was therefore unable to ascertain the financial condition of the Company." Though the allegations are interesting as they hint at the likelihood of increased internal control-specific litigation, the allegations are just that. As a result, Quovadx is not included in our August tally.

The same was the case at $1.0 billion Electric utility NorthWestern Corp. and $46.2 million Microtune, where complaints alleged—among other things —that the companies "lacked adequate internal controls."

And finally, we have not included in our list process weaknesses that were disclosed that were not specifically noted as weaknesses or disclosures. For example, theglobe.com's Aug. 13 quarterly report described a period in March during which the company experienced an increase in credit card chargebacks that may have been due to "fraudulent transactions due to identity theft." The company noted that its "internal controls for detection of the fraudulent charges were inadequate," but theglobe.com did not specifically state that a weakness or deficiency was present.

The same was the case at $1.1 billion auto parts manufacturer Sauer-Danfoss and $1.5 billion industrial manufacturer Manitowoc Co., both of which noted they "identified certain internal controls" that management believes need to be improved, but stopped short of declaring the problems weaknesses or deficiencies.

Inclusions

Our August list does, however, include companies that provided material updates to prior disclosures. $17.2 million Universal Security Instruments, for example, disclosed a weakness in July; however—as we reported last month—the company "failed to provide details on the nature of control problems." On Aug. 16, the company acknowledged that the problem was related to "lack of segregation of duties at the Company due to the small number of employees dealing with general administrative and financial matters."

The same was the case at $190.4 million Pemco Aviation Group, which disclosed a weakness back in April. According to the company's latest quarterly report, the company "continues to have a material weakness" that resulted from personnel not fully understanding "pertinent accounting and financial reporting principles."

Back in May, $126.1 million computer software company Red Hat disclosed that it had "deficiency in our internal control structure that was considered a reportable condition, but not a 'material weakness.' " The problem was related to accounting treatments of certain contracts. On Aug. 8, the company provided an update on the problem, noting that it now had a material weakness related to revenue recognition policies.

The List

As usual, we’re including the complete list of disclosures below. Please note that Compliance Week does not publish this list to point an accusatory finger; rather, our goal is to provide information to subscribers that might be helpful in understanding how their peers are making such disclosures and are approaching remediation.

Also, be aware that the excerpts below are just that: excerpts. The complete SEC filings are available for those who would like to review the disclosures in greater detail:

Click Here For The List Of Weakness Disclosures

Click Here For The List Of Remediation Disclosures