Internal Control Disclosures From September

SECTION 404

The September Data

View The Actual Internal Control Disclosures From September

View Sample Disclosures Of Remediation Efforts From September

View Samples Of Internal Controls As Risk Factors

According to a review of regulatory filings, 40 companies disclosed material weaknesses or significant deficiencies in internal controls during the month of September, and dozens of others listed controls as "risk factors" or provided information on control-improvement efforts.

The September number was down from August; however, that's primarily due to the large number of companies filing quarterly reports that month—second quarter 10-Qs were due August 9. In recent months, experts have told Compliance Week they expect the number of internal control disclosures to increase through 2005.

The disclosures in September replicated prior months' trends in numerous respects, including the following:

Most Common Problems

Problems with financial systems and procedures remain the most common types of weaknesses and deficiencies disclosed. In September, 51 percent of the disclosures were related to financial systems and procedures. In August, the number was 54 percent.

Typically, problems in this category are related to the financial close process, account reconciliation, or inventory processes. That was the case at $6.7 billion IT services firm Science Applications International Corp., which disclosed a material weakness that included an "inadequate tax account structure in our accounting records."

The second most frequently cited was related to personnel issues, accounting for 32 percent of all disclosures in September. In August, the number was 27 percent.

Personnel-related issues are typically related to poor segregation of duties, inadequate staffing, or related training or supervision problems. That was the case, for example, at $335.2 million Per-Se Technologies, which noted a "lack of adequate supervision of accounting personnel."

MOST COMMON

Multiple Disclosures

As was the case with prior months, it was common for companies to disclose multiple "types" of problems.

$34.3 million wireless communications firm Comarco, for example, disclosed three weaknesses, including problems calculating bonus accruals, inadequate analysis of certain deferred revenues, and a lack of documentation related to accounting for contingencies. $2.2 billion Footstar listed 17 weaknesses that the company identified as the result of a restatement, including tone at the top and management override of controls.

Large Companies Contributing More?

Though the majority of internal control weakness and deficiency disclosures continue to come from small companies, larger firms may be contributing a disproportionate number of weakness disclosures.

In September, 19 percent of the weakness or deficiency disclosures came from companies with over $1 billion in revenue. In August, the number was 16 percent.

Though that seems like a small number, only 9 percent to 11 percent of public companies have revenue exceeding $1 billion. As a result, that small group of companies is contributing a disproportionately large number of disclosures.

That being said, most experts note that it's too early to make assumptions about company size and control susceptibility; rather, they simply point out the internal control provisions of Sarbanes-Oxley are impacting both large and small firms.

Greater Details

Companies continue to provide greater detail on the problems identified during the internal control assessment and testing phases.

One of the most detailed—and therefore helpful—disclosures came from $22.4 million oil & gas exploration firm Mitcham Industries, which identified several weaknesses that resulted from an independent investigation prompted by a whistleblower. In describing the problems, Mitcham Industries went out of its way to explain what happened and why, even providing a detailed description of the market for seismic data acquisition contractors in Canada, which was one of many factors that created the scenario in which the weaknesses occurred.

$2.2 billion Footstar also provided an extremely detailed list of the problems it had identified, going out of its way to bullet 17 control deficiencies, from "tone at the top" and inadequate training, to accounts payable reconciliations and flawed inventory tracking systems.

SOX Expenditures, Rewards

As we've noted in prior months, companies have begun disclosing amounts spent on internal control assessment, testing and remediation.

$156.4 million Merix Corp., for example, disclosed in a Sept. 22 8-K that its "Selling, general and administrative" costs in the first quarter included "about $250 thousand incremental expense for audit and consulting fees related to compliance with the internal control provisions of Sarbanes-Oxley Section 404." At $1.5 billion Applied Industrial Technologies, audit-related fees in 2004 "were for reviews in connection with Applied’s internal controls project ($94,600)" and other costs.

Other companies have specifically noted, when describing audit and non-audit fees paid to accounting firms, that certain expenses went to internal control improvements. For example, in disclosing a dramatic jump in audit fees from 2003 to 2004, Sun Microsystems cited in footnotes that "Fiscal years 2004 and 2003 include approximately $1.8 million and zero, respectively, in fees for assurance services provided in connection with assessment and testing of internal accounting controls in connection with Section 404 of the Sarbanes Oxley Act of 2002." And in tracking a similarly dramatic decrease in non-audit fees during the same period, the company noted that "For fiscal year 2003, fees are solely for services provided in connection with making recommendations for improvements in our internal controls."

In charting its jump in audit-related fees from $390,000 in 2003 to over $1.8 million in 2004, $6.2 billion storage firm Seagate Technology cited—among other things—"Sarbanes-Oxley internal controls-related advisory activities..."

Interestingly, one company, $1.7 billion telecommunications equipment maker Cellstar Corp., disclosed that bonuses awarded to executives were, in part, due to improved controls. The company's proxy statement noted that discretionary bonuses were awarded for each executives' impact on key initiatives, including achievement of operational goals, overcoming global obstacles like SARS, and "improving corporate governance and internal control procedures..."

Speed To Action

The public filings also reflect the speed with which some companies are addressing internal control problems.

$516.3 million Party City, for example, concluded in May 2004 that it had a reportable condition related to "the classification of a financing activity on the cash flow statement." Though the amount was immaterial, the company addressed the problem immediately by enhancing controls, hiring additional financing and accounting staff, improving training, and requiring period reviews of technical accounting literature. "Based on these enhancements," the company noted in its 10K filed September 14, "the reportable condition was remediated and we have no reportable conditions."

Similarly, on March 31, $6.7 million medical equipment and supplies company Implant Sciences discovered an "error in the calculation of the fair value of certain [issued] warrants." Though the company concluded that there was no material weakness in its controls, it fixed the problem and instituted new systems, procedures and educational programs by the end of August.

The same was the case with $384.5 million wireless equipment company Remec, which acted quickly to identify potential problems. The company disclosed in a Sept. 9 10-Q that it might have identified possible deficiencies, and then on Sept. 30 filed an 8-K disclosing that it had indeed identified reportable conditions.

Remediation Disclosures

Continuing a four-month trend, companies continue to provide greater detail on their internal control improvement and remediation efforts, outlining specific steps taken to improve controls.

$470.7 million Catalina Marketing Corp., for example, provided a list of 13 steps the company has taken to improve the significant deficiencies and material weaknesses it had identified.

$2.2 billion Footstar also provided a very detailed "Internal Process and Controls Plan" that included a separate executive summary, and details on project teams "responsible for assessing internal control weakness and developing detailed action plans, with timetables, progress metrics, and budgets, where applicable."

Riverstone Networks provided a list of 15 steps it had taken to remediate weaknesses, including establishment of a Business Operations group, initiation of a quarterly revenue recognition review, termination of certain company officers, and a "near-complete turnover in the composition of our senior management team."

Some companies noted that control improvements were being made, without citing specific weaknesses or deficiencies. $3.6 billion telecom equipment maker NTL stated that, following the company's emergence from Chapter 11 reorganization, the company undertook an examination and "determined that some of our controls and procedures should be improved." And $596.4 million home furnisher Bombay Company disclosed that it was "enhancing segregation of duties within its information technology systems and further restricting system access," but did so without disclosing a weakness or deficiency. The same was the case at $351.8 million router and switch-maker Extreme Networks, which disclosed it was "developing plans to implement improvements or additional control procedures."

As usual, we're providing a list of all sample remediation disclosures in September, including excerpts and links to the actual filings.

"Issues," Not Weaknesses

Companies also continue to disclose internal control "issues" without specifically noting that they are weaknesses or deficiencies. $1.7 billion auto parts maker Metaldyne, in an 8-K that provided an update of an independent investagation, noted a number of concerns with financial controls and procedures, but stopped short of disclosing a weakness. "The Company understands that its current independent auditors have identified certain concerns that give rise to material weaknesses and that its auditors will make business recommendations based upon these and other concerns." The 8-K then went on to provide information on actions taken or considered to address the concerns.

$610.7 million industrial manufacturer Tekni-Plex also discovered a problem with charges made to incorrect accounts; however, the company stopped short of calling the control issue a weakness. "Our chief executive officer and chief financial officer concluded that the weakness that lead to these errors did not constitute a material weakness in internal control." Nevertheless, certain improvements were subsequently made.

$11.2 milion metals & mining company Milastar Corp. also noted that it was "aware that there is a lack of segregation of duties due to the small number of employees dealing with general administrative and financial matters"; however, the company did not disclose a weakness or deficiency, and in fact noted that the associated risks were insignificant and didn't justify adding staff. The same was the case at tiny manufacturer Cox Technologies, which noted its four employees and subsequent inability to segregate duties "and other mitigating controls may be considered a material weakness in internal controls over financial reporting."

Sterling Equity Holdings simply stated that certain internal controls relating to the control of cash were "inadequate."

Risk Factors

Companies also continue to mention internal controls as "risk factors" in the Management's Discussion & Analysis section of SEC filings. Most mentions entailed broad and general disclaimers, noting that controls may not be adequate, deficiencies or weaknesses may be discovered, or remediation may not be successful.

In addition, some common wording also appears to be developing, even across auditors. For example, $9.3 million software company 8x8, which was audited by PwC, and $2.8 billion home furnisher Williams-Sonoma, which was audited by Deloitte & Touche, both noted that "we cannot be certain as to the timing of completion of our evaluation, testing and remediation actions or the impact of the same on our operations since there is no precedent available by which to measure compliance adequacy."

Other risk disclosures were more specific, depending on the business of the company. $291.1 million document management firm Open Text, which has made several acquisitions, noted that if the company were to acquire a firm with weak controls, "it will take time to get the acquired company up to the same level of operating effectiveness as Open Text." Other companies, like $819.8 million semiconductor firm Marvell Technology Group, cited similar M&A risks.

Other companies, like $2.1 billion PayPal, cited issues like growth or complexities and developments in the financial services business, as potential risks. According to PayPal, as "business continues to grow, [the company] must strengthen its internal controls accordingly."

We've included several samples of such "risk factor" disclosures.

Class Actions, Deregistrations

Internal controls continue to be cited in class action law suits as well.

$26.9 million regional bank North Country Financial Corp. disclosed that a shareholder lawsuit was accusing the company of, among other items, "failing to make full disclosure that our administrative, operating, and internal controls were inadequate to prevent loss and damage to our assets..." The same was the case at $10 billion property & casualty insurancer PMA Capital Corp.

In one interesting filing, $2.6 billion Chiquita Brands disclosed that a "Greek subsidiary made a payment of approximately 14,700 euro that may not comply with the U.S. Foreign Corrupt Practices Act." Under a settlement reached with the SEC in 2001 on an unrelated matter, the company consented to a finding that it had violated the books and records and internal controls provisions of the Securities Exchange Act of 1934; however, Chiquita but could not say whether regulators would consider the newly disclosed payment a violation of the 2001 order.

Two companies cited SOX 404 as a reason why the company was deregistering. According to $7.6 million manufacturer Quality Products, "The Board based its decision on the onerous cost of complying with the internal control and reporting requirements of the Sarbanes-Oxley Act." $175.8 million steel producer Webco also disclosed it was seeking to terminate registration due to SOX 404. "Webco is undertaking the Transaction at this time in order to effect the cost savings referred to below as soon as possible and, in particular, to avoid the significant prospective compliance costs relating to Sarbanes-Oxley [Section 404]..."

Inclusions And Exclusions

To avoid duplication, Compliance Week's September list does not include disclosures that had been made public in prior months, unless there was a significant and material update. Medical laser manufacturer Candela, for example, made a weakness disclosure in September; however, the company had already disclosed the information back in February, and did not provide a material update.

However, the September list does include companies that did provide material updates on previous disclosures. $391.2 million La Petite Academy, for example, which operates preschool and child-care facilities, disclosed weaknesses back in February related to personnel and other issues; however, on Sept. 27 the company noted a new weakness "in the information technology control environment." Portal Software also which disclosed a problem during the summer, but subsequently uncovered additional deficiencies that were disclosed in September. The same was the case at $1.6 billion Dresser Inc., and at HiEnergy Technologies, which had disclosed a weakness back in March.

We also did not include disclosures that were related to weaknesses prior to 2003. $139.1 million regional bank The Banc Corp., for example, included in a September filing information about a weakness from 2002, however, the firm had no weaknesses in 2003. Sealy, the mattress and bedding company, also disclosed information about a reportable condition; however, the problem was in FY 2002 and had been previously disclosed and remediated.

The List

As usual, we’re including the complete list of disclosures below. Please note that Compliance Week does not publish this list to point an accusatory finger; rather, our goal is to provide information to subscribers that might be helpful in understanding how their peers are making such disclosures and are approaching remediation.

Also, be aware that the excerpts below are just that: excerpts. The complete SEC filings are available for those who would like to review the disclosures in greater detail:

Click Here For The List Of Weakness Disclosures

Click Here For A Sampling Of Remediation Disclosures

Click Here For A Sampling Of Controls As Risk Factors