Internal Control Disclosures From October

THE FILINGS

Weaknesses, Deficiencies

Weaknesses: View The Actual Internal Control Disclosures From October

Other Types Of Disclosures

Remediation: View Examples Of Control Remediation Disclosures In October

Risk Factors: Examples Of Controls As "Risk Factors" In Companies' MD&A

Issues: Examples Of Companies Disclosing "Issues" With Controls

Changes: Disclosures Of Changes In Controls As Per SOX 302

Warnings: Examples Of Forward-Looking Warnings On Controls

Going Private: Example Of Company Citing SOX 404 In Going Private

According to a review of regulatory filings, 63 companies disclosed material weaknesses or significant deficiencies in internal controls during the month of October. That's up from 40 during the prior month.

The slight increase in disclosures from September comes as companies rush to meet the November compliance deadline for Sarbanes-Oxley Section 404, which requires management to assess the effectiveness of the company's internal control over financial reporting. Each company's auditor must also report on—and attest to—management's assessment.

Compliance Week has been tracking these disclosures all year. Though SOX 404 is effective for accelerated filers Nov. 15, many companies have been making internal control disclosures as part of SOX Section 302, which requires that executives certify in periodic reports that—among other things—they have evaluated the effectiveness of their internal controls, and that their conclusions have been presented in the report.

The October disclosures continue a number of trends that have been visible all year, and introduced some new factors as well.

Financial Systems And People Problems

Problems with financial systems and procedures remain the most common types of weaknesses and deficiencies disclosed. In October, 53 percent of the disclosures were related to financial systems and procedures. That number is consistent with recent months; in September, the number was 51 percent, and in August it was 54 percent (see chart, below).

Typically, problems in this category are related to the financial close process, account reconciliation, or inventory processes. Toyota Motor Credit Corp., for example, disclosed a weakness related to the design and review of revenue recognition policies, "particularly in the area of incremental direct costs and fees and in the structure and design of related financial information systems."

The second most common type of weaknesses related to personnel issues. These people problems—typically related to poor segregation of duties, inadequate staffing, or related training or supervision problems—accounted for 31 percent of all disclosures. In September, the number was 32 percent, and in August it was 27 percent.

Personnel problems were especially common at smaller public issuers. An example was $31.9 million Viacell, which disclosed a reportable condition related to its small finance and accounting staff, and at Curon Medical, which noted it needed to conduct "additional training of our sales and marketing staff to minimize the risk of revenue recognition errors."

MOST COMMON

Other problems commonly cited were deficiencies in documentation, cited in 6 percent of the disclosures, and IT controls, cited in 5 percent.

Mergers and acquisitions were also cited as source of some weakness disclosures. That was the case at $1.3 million FreeStar Technology, which develops software for the financial services sector. During the firm's due diligence of acquisition target TransAxis, it "identified certain accounting-related deficiencies in the books of TransAxis" that prevented TransAxis from obtaining audited financial statements "without undue effort and expense." FreeStar ultimately terminated the acquisition agreement, citing TransAxis' "failure to disclose material liabilities and contingencies" and meet other obligations.

Multiple Types

Companies disclosing weaknesses commonly had numerous control issues related to a particular type of problem. Among the deficiencies disclosed at $62.9 million Gilman & Ciocia, for example, were two related to financial systems and procedures: a lack of integration of the general ledger system with other record-keeping systems, and "the need for formal control systems for journal entries and closing procedures." The

company also disclosed several personnel-related deficiencies, including the need to hire additional staff, to provide training on SEC reporting requirements, and to "change the structure of the finance/accounting department."

It was also common for companies to disclose more than one "type" of weakness. $497 million motion picture producer and distributor Alliance Atlantis Communications, for example, disclosed issues with financial systems and procedures, as well as personnel issues like a "lack of clearly defined roles." $6.4 billion chemical manufacturer Rohm & Haas also disclosed a variety of deficiencies, including documentation of controls, timely account reconciliation and verification, and segregation of duties.

In almost every case, the weakness and deficiency disclosures were very explicit, detailing the exact problem identified. In only a few cases were the disclosures surprisingly vague. One was $20.4 billion global staffing firm Adecco, which simply noted that it was "working to strengthen its internal controls," and that a compliance and ethics officer had been hired. That's after the firm was hit by an accounting scandal that resulted in the resignation of several senior executives, a grand jury subpoena, a clean sweep of its board of directors, and investigations by the SEC and the Swiss Federal Banking Commission.

The other example was $855.9 million KinderCare Learning Centers, which noted that during its SOX 404 documentation and testing process it "identified certain deficiencies that we are remediating." The company noted that the problems were communicated to the audit committee, but did not provide details on what the problems were.

Remediation

For the fifth straight month, companies continued to provide detailed remediation disclosures, outlining specific steps taken to improve controls. $1.1 billion JLG Industries, for example, disclosed a weakness back in February, and in its annual report—filed Oct. 6—the company offered a bulleted list of steps it had taken to correct the weakness, including the implementation of additional detection controls to catch accounting errors, the initiation of training sessions to educate employees, and the codification of revenue recognition policies "to include a clearly understandable summary of key elements of the policy to better ensure broader understanding of the policy among our personnel."

$520.1 million Richardson Electronics was much more brief, stating in one sentence that it had "made progress" on remediating weaknesses, "including drafting new policies and procedures, reinforcement of existing procedures and documentation of management review and approval processes."

We've provided a list of sample remediation disclosures from October, which can be found in the box above, right.

More Risk Factors

Companies continue to cite internal controls as risk factors in the MD&A sections of periodic reports. For example, using fairly typical language, tiny biopharmaceutical firm Myogen clarified that it could not guarantee that a weakness would not be identified, or that it could be fully corrected before the next annual report.

$6.2 billion Seagate Technology similarly disclosed that it expected to comply with SOX 404, but that "we cannot be certain as to the timing of completion of our evaluation, testing and remediation actions or the impact of the same on our operations since there is no precedent available by which to measure compliance adequacy."

Interestingly, one company noted that the summer's hurricanes in Florida had impacted internal control remediation efforts, and might contribute to the firm's inability to comply with SOX 404. "When the hurricane hit Grand Cayman," noted $19.1 million Consolidated Water Co., "the Company was in the process of implementing various improvements in its internal control over financial reporting" for 2004. "However, such activities were curtailed when the hurricane struck," noted the company, adding that corporate staff "is unlikely to complete all of the planned improvements required for management and the Company’s independent public accountants to issue unqualified attestation reports on the Company’s internal control over financial reporting."

Sample risk factor disclosures are available from the box above, right, as well.

Forward-Looking Statements

Companies also continue to make disclosures in advance of actual problems, attempting to get ahead of the issue and avoid surprising the market. $99.3 million Pegasystems, for example, noted that it "may have some deficiencies in internal controls over financial reporting," and that it was working to remediate the problems.

The same was the case at regional bank Sterling Financial, whose CEO noted in an 8-K that the company had "identified areas where [internal control] efficiencies could be gained." The company was not disclosing a weakness or deficiency. $1.3 billion Walter Industries also noted that it had "identified areas of our internal controls requiring improvement, and are in the process of designing enhanced processes and controls to address issues identified through this review."

INTERNAL VS. DISCLOSURE CONTROLS

D. Differences between Internal Control over Financial Reporting and Disclosure Controls and Procedures

Many of the commenters on the Proposing Release indicated that they were confused as to the differences between a company's disclosure controls and procedures and a company's internal control over financial reporting. Exchange Act Rule 13a-15(d) defines "disclosure controls and procedures" to mean controls and procedures of a company that are designed to ensure that information required to be disclosed by the company in the reports that it files or submits under the Exchange Act is recorded, processed, summarized and reported, within the time periods specified in the Commission's rules and forms. The definition further states that disclosure controls and procedures include, without limitation, controls and procedures designed to ensure that the information required to be disclosed by a company in the reports that it files or submits under the Exchange Act is accumulated and communicated to the company's management, including its principal executive and principal financial officers, or persons performing similar functions, as appropriate to allow timely decisions regarding required disclosure.

While there is substantial overlap between a company's disclosure controls and procedures and its internal control over financial reporting, there are both some elements of disclosure controls and procedures that are not subsumed by internal control over financial reporting and some elements of internal control that are not subsumed by the definition of disclosure controls and procedures.

With respect to the latter point, clearly, the broad COSO description of internal control, which includes the efficiency and effectiveness of a company's operations and the company's compliance with laws and regulations (not restricted to the federal securities laws), would not be wholly subsumed within the definition of disclosure controls and procedures. A number of commenters suggested that the narrower concept of internal control, involving internal control over financial reporting, is a subset of a company's disclosure controls and procedures, given that the maintenance of reliable financial reporting is a prerequisite to a company's ability to submit or file complete disclosure in its Exchange Act reports on a timely basis. This suggestion focuses on the fact that the elements of internal control over financial reporting requiring a company to have a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles can be viewed as a subset of disclosure controls and procedures.

We agree that some components of internal control over financial reporting will be included in disclosure controls and procedures for all companies. In particular, disclosure controls and procedures will include those components of internal control over financial reporting that provide reasonable assurances that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles. However, in designing their disclosure controls and procedures, companies can be expected to make judgments regarding the processes on which they will rely to meet applicable requirements. In doing so, some companies might design their disclosure controls and procedures so that certain components of internal control over financial reporting pertaining to the accurate recording of transactions and disposition of assets or to the safeguarding of assets are not included. For example, a company might have developed internal control over financial reporting that includes as a component of safeguarding of assets dual signature requirements or limitations on signature authority on checks. That company could nonetheless determine that this component is not part of disclosure controls and procedures. We therefore believe that while there is substantial overlap between internal control over financial reporting and disclosure controls and procedures, many companies will design their disclosure controls and procedures so that they do not include all components of internal control over financial reporting.

Excerpt Above From SEC Release 33-8238; Click To Read Full Version

We've made available a sampling of forward-looking disclosures, which can be found in the box above, right.

Internal Controls, Or Disclosure Controls?

October was the first month during which several companies described financial reporting problems as weaknesses in "disclosure controls and procedures." The controls, known to insiders as "DC&Ps," are meant to ensure that information in SEC filings has been recorded, processed, summarized and reported in an accurate and timely fashion. CEOs and CFOs are personally responsible for establishing and maintaining an overall

system of disclosure controls and procedures.

According to Richard Steinberg, co-author of the COSO Internal Control—Integrated Framework who also writes a monthly column for Compliance Week, this is an area that has been the subject of misunderstandings and varying interpretations. Steinberg notes that, generally speaking, internal control over financial reporting can be thought of as a subset of disclosure controls and procedures. That's because internal control over financial reporting deals with the reliability of the financial statements, while disclosure controls and procedures deals with the reliability of information—financial and non-financial—in all Exchange Act reports. "If one considers the array of such information," says Steinberg, "it becomes evident how extensive DC&P can be."

Richard Robbins, a partner at the law firm of Sidley Austin Brown & Wood, agrees that the issue is confusing, but believes the Commission spelled out the differences in its final rule implementing SOX 404. "I think the SEC did a good job of describing the overlap between internal control over financial reporting and disclosure controls and procedures" in its release. We've provided an excerpt from the release at left.

Examples of companies disclosing DC&P weaknesses included $135.9 million long-distance carrier Acceris Communications, which disclosed a deficiency related to the company's "ability to produce accurate financial information on a timely basis." $46.2 million medical equipment and supplies company Fischer Imaging also disclosed DC&P problems, including areas of revenue recognition and "classification of revenues and expenses and adherence to generally accepted accounting principles." The same was the case at $34.5 million HMI Industries and others.

Changes In Controls

Another trend identified during October was the disclosure of changes in the status of controls since the prior period filing. The SEC's final rule implementing Section 302 of Sarbanes-Oxley requires—among other things—that companies disclose in quarterly and annual reports whether there have been "significant changes in the issuer's internal controls" or in other factors that could affect those controls. Experts have noted in Compliance Week that control improvements should be included.

That was exemplified in a quarterly report from $6.7 billion Public Service Electric & Gas, which noted that it made "significant changes" to controls as the result of the SOX 404 testing process. The changes "improved the design and operational effectiveness of PSEG's control processes and systems for financial reporting."

The same was the case at $1.1 billion Ferrellgas Partners, which disclosed it had modified its internal controls to align them with the implementation of a new technologies that oversee customer administration and operational workflow.

We've made available a separate table of these disclosures of changes in controls, which can be found in the box above, right.

PCAOB Citations

In addition, many of the October disclosures referred for the first time to the Public Company Accounting Oversight Board's internal control standards.

That was the case at $77 million footwear company McRae Industries, which disclosed that Grant Thornton had identified material weaknesses under the PCAOB's standards. In past months, most companies made reference to the AICPA standards.

In addition, Compliance Week noticed a marked decrease in the number of companies disclosing "reportable conditions" as defined by the AICPA. According to PCAOB Deputy Chief Auditor Tom Ray, that term has been superseded by the term "significant deficiency." Compliance Week addressed the differences in these definitions in an article published in May titled "Is That A Reportable Condition Or A Significant Deficiency?"

Disclosures Tied To Auditor Exits

Interestingly, several internal control weakness disclosures were made as part of 8-K announcements reporting a change in auditor.

That was the case at $46.2 million Fischer Imaging Corp., restaurant company Grill Concepts, network security firm Netwolves, $49.9 million Comdial, tiny electronics firm Tripath Technology, and others.

Compliance Week contacted several companies whose disclosures were tied to auditor exits, including the companies above and firms like XRG Inc. and Iteris Holdings, but no company would comment on the "chicken or the egg" question; namely, did the uncovering of an internal control weakness lead to the auditor dismissal, or vice versa.

Some companies disputed their auditor's assessment that a weakness existed. $13.9 million Tripath Technology, for example, disagreed with its auditor's assessment that a weakness existed in the company's ability to estimate distributor sales returns, which is a revenue recognition issue. "Tripath is actively recruiting a "financial expert" to join the Board and does not agree that there is a material weakness," the company said in an 8-K.

Not Weaknesses, But "Issues"

Companies continue to use vague wording to describe "issues" or "problem" with controls, without specifically calling them weaknesses or deficiencies. That was the case at $148 million Frontier Financial, which disclosed that it had "identified certain internal control issues which management believed would benefit from improvement." The regional bank clarified that the problems were not weaknesses as defined by the PCAOB, and that improvements are underway.

$26.1 billion telecommunications firm Sprint also noted that, during its review of internal controls related to capital assets, it identified a calculation error since 1999 "in the overstatement of interest capitalized during the construction of its Wireless capital assets, with a corresponding understatement of interest expense." Again, the company stopped short of stating the problem was a weakness or deficiency.

The same was the case at Markland Technologies, which noted it had "less than the desirable number of people performing a majority of the financial duties," and that it lacked resources for a comprehensive internal audit function. The company noted that the risks associated with the lack of segregation of duties and limited staff "have been largely mitigated."

An 8-K filed by $245.2 million Computer Horizons disclosed an accounting error that would result in a restatement, but did not disclose a weakness. Instead, the company's audit committee chairman simply commented that the company "is taking steps to strengthen its internal control processes and procedures in order to prevent the reoccurrence of events resulting in the need to restate prior period financial statements.”

We've made a separate chart of these disclosures of "issues" available in the box above, right.

Regulatory Settlements

Internal control weaknesses continue to be named in class action lawsuits as well. Though we don't usually include those announcements in our monthly tallies of internal control disclosures as they are accusations and not acknowledgements from the issuer that weaknesses exist, we did include the disclosure of a settlement between Qwest and SEC. The Commission had accused the telecommunications firm of—among other things—a "lack of internal controls and inadequate books and records" that resulted numerous accounting errors, including $850 million understatement of expenses related to the firm's merger with US West.

$53.7 billion Fannie Mae disclosed that it would "take a series of steps with respect to its internal controls, organization and staffing," and other issues as part of an agreement with OFHEO after its recent accounting scandal. In addition, former Senator Warren Rudman would lead an independent review of staff structure, function, and compensation, "as well as the implementation of policies to ensure adherence to new accounting treatment and internal controls."

Exclusions And Inclusions

We included shell companies in our list, but only if we could confirm the company's existence and assets. Inform Worldwide Holdings, for example, disclosed a number of weaknesses, but the company was not reachable and does not maintain its Web site. In addition, the company filed articles of dissolution in 2002, and its auditor raised "substantial doubt about the Company’s ability to continue as a going concern." As a result, Inform is not included in our October list. The same was the case at Marketshare Recovery, Norita Capital Partners, Xenonics Holdings, and others.

We also did not include control improvements that did not pertain to financial reporting. The international banking unit of $2.5 billion UnionBanCal, for example, disclosed an agreement with the New York Reserve Bank in which whey would fully address certain deficiencies in policies and procedures; however, the policies related to anti-money laundering provisions of The Patriot Act, not financial reporting. The same was the case with $2.9 billion AmSouth Bancorporation, which disclosed inadequate internal controls pertaining to the Bank Secrecy Act.

As usual, we also excluded companies that had already disclosed a deficiency or weakness, and were not providing a material update. That was the case with Nighthawk Systems, which had disclosed a weakness last year, and provided no material update in an October filing. The same was the case at $44.0 million Digital Recorders—the company disclosed a weakness Oct. 1, but the disclosure was duplicative of another filing made May 6, and no new information was presented.

We did, however, include companies that were providing new information or material updates. $28.2 million Productivity Technologies, for example, had previously disclosed weaknesses related to the review of general ledger accounts and the timely recording of transactions; however, on Oct. 13 the industrial equipment manufacturer disclosed five new deficiencies related to account reconciliation, recordkeeping, late filing of periodic reports, and other issues. $66.3 million Energy Conversion Devices also disclosed reportable conditions on May 27, but on Oct. 1 disclosed four new significant deficiencies related to insufficient documentation, segregation of duties, data security, and other issues.

The same was the case at $4.1 billion Levi Strauss & Co. Back in March, the company disclosed it was the subject of class action lawsuits alleging internal control weaknesses or deficiencies, although the maker of jeans and sportswear did not confirm that allegation. In the company's quarterly report filed Oct. 12, the company disclosed that its audit committee had indeed been informed of a material weakness in internal controls.

The List

As usual, we’re including the complete list of disclosures, as well as a variety of other types of discloses mentioned in this article (see box at right). Please note that Compliance Week does not publish this list to point an accusatory finger; rather, our goal is to provide information to subscribers that might be helpful in understanding how their peers are making such disclosures and are approaching remediation.

Also, be aware that the excerpts below are just that: excerpts. The complete SEC filings are available for those who would like to review the disclosures in greater detail:

Click Here For The List Of Weakness Disclosures