Internal Controls Audits Continue to Shine

Veterans of compliance with the Sarbanes-Oxley Act are now reporting record-low problems with internal control over financial reporting, although smaller companies newer to the SOX regime are still trailing behind in the march toward reliable, SOX-compliant financial reporting.

So says audit research firm Audit Analytics, which has tallied all but the tardiest of filings for the 2009 reporting year. It found that only 2.4 percent of more than 3,300 companies disclosed problems with internal controls last year—and even if every last straggler ultimately reports problems, the failure rate will still be only 2.8 percent, says Don Whalen, director of research for Audit Analytics. That’s down from 5.9 percent in 2008 and 16.9 percent in the average filer’s first year of implementing SOX’s Section 404 reporting requirements.

Gazzaway

“The companies themselves are getting better at internal control,” says Trent Gazzaway, a partner with Grant Thornton. “They had to improve and fix their weaknesses, or they had to report them. I would have expected the learning curve to have flattened out by now.”

Among smaller companies—those below $75 million in market capitalization, which were given many delays in complying with Section 404 and are now fully exempt from the audit requirement—improvement has been slower. With a little more than 3,000 reports filed by management in their fourth year of reporting, 27.8 percent reported problems with internal controls. That’s down, but only barely, from 32.3 percent in 2008 and 32.8 percent in their first year of reporting.

While the numbers suggest that financial reports are more accurate because internal controls are operating more effectively, it’s not necessarily a direct indicator, says Tim Leech, chief methodology officer for consulting firm Risk Oversight. To get the full picture, he says, you would want to know how many companies that originally reported effective internal control over financial reporting later restated their accounts to correct material errors—which would invalidate those claims that internal controls were sound.

Some other recent research has attempted to provide such insight. Albert Nagy, an accounting professor at John Carroll University, looked at restatement rates for companies complying with Section 404 and those that were not during the early years of implementation when smaller companies were exempt. His analysis focused on reports filed in 2005 and 2006, when restatements across companies were comparatively high.

Nagy found that 14.5 percent of companies complying with Section 404 had to restate, while 20 percent of companies that did not report on internal controls had to restate their financials. Controlling for various other factors that might have been at play, Nagy deduced that compliance with Section 404 reduced the probability of financial reporting mistakes by 6.3 percent.

Audit Analytics also produced a quick study earlier this year, as Congress was considering a permanent exemption from the audit requirement under Section 404 for smaller companies, trying to determine the effect of the internal control audit on accuracy of financial reporting. Its conclusion: companies reporting clean controls with a concurring audit opinion restated at a rate of 5 percent, while companies reporting clean controls with no audit opinion—that is, companies exempt from Section 404(b)—restated at a rate of 7.4 percent.

The Dodd-Frank Act made that exemption from Section 404(b) permanent for all non-accelerated filers. It also directed the Securities and Exchange Commission to study the extent to which Section 404 can be credited with cleaning up financial reporting errors.

Wider Views on Weaknesses

Ueltschy

Rick Ueltschy, an executive with audit firm Crowe Horwath, says if financial reports are more accurate today, internal control reporting is not the sole exercise that uncovers errors. “Section 404 is one element of it, but it’s certainly not all of it,” he says. An SEC focus on materiality can also take some credit.

“Vigilance needs to be the order of the day going forward.”

—Jim DeLoach,

Managing Director,

Protiviti

“The Commission became much less tolerant of people accepting known error in their financial statements,” he says. “They moved away from guidance that said ‘fix it in your next filing’ to guidance saying `go back and fix it in your older filings.’ ”

As a result of the Section 404 exercise, companies have also built up their “bench strength,” Ueltschy says, bringing on more skilled staff to handle financial reporting. “That was a derivative of Sarbanes-Oxley,” he contends. “There’s no provision that said go out and hire more skilled accountants, but it was a byproduct of how the process played out.”

Although smaller companies are still reporting 10 times more control problems than larger companies, smaller companies have benefitted to some degree from the “knowledge trickle down,” Gazzaway says. For larger companies, regulators have called on auditors to perform integrated audits, auditing internal controls and financial statements in a more streamlined process.

As a result, “auditors have learned how to better adjust their overall audit program to consider internal control better,” Gazzaway says. “Even if they’re not in a position to audit internal control, auditors have learned how to better adjust their overall audit program to consider internal control better.”

HIGHLIGHTS

The following excerpt from TK provides highlights of the Dodd-Frank legislation:O

Consumer Protections with Authority and Independence: Creates a new

independent watchdog, housed at the Federal Reserve, with the authority to

ensure American consumers get the clear, accurate information they need to

shop for mortgages, credit cards, and other financial products, and protect

them from hidden fees, abusive terms, and deceptive practices.

Ends Too Big to Fail Bailouts: Ends the possibility that taxpayers will be

asked to write a check to bail out financial firms that threaten the economy

by: creating a safe way to liquidate failed financial firms; imposing tough

new capital and leverage requirements that make it undesirable to get too

big; updating the Fed’s authority to allow system-wide support but no longer

prop up individual firms; and establishing rigorous standards and

supervision to protect the economy and American consumers, investors and

businesses.

Advance Warning System: Creates a council to identify and address systemic

risks posed by large, complex companies, products, and activities before they

threaten the stability of the economy.

Transparency & Accountability for Exotic Instruments: Eliminates

loopholes that allow risky and abusive practices to go on unnoticed and

unregulated. including loopholes for over-the-counter derivatives, asset-

backed securities, hedge funds, mortgage brokers and payday lenders.

Executive Compensation and Corporate Governance: Provides shareholders

with a say on pay and corporate affairs with a non-binding vote on executive

compensation and golden parachutes.

Protects Investors: Provides tough new rules for transparency and

accountability for credit rating agencies to protect investors and businesses.

Enforces Regulations on the Books: Strengthens oversight and empowers

regulators to aggressively pursue financial fraud, conflicts of interest and

manipulation of the system that benefits special interests at the expense of

American families and businesses.

Source

Full Text of the Dodd-Frank Act

Jim DeLoach, managing director at consulting firm Protiviti, agrees that even if auditors for smaller companies don’t explicitly audit internal controls, they’re spotting problems and calling them to management’s attention; that’s helpful too. “If an auditor proposes a material audit adjustment, it will result in communication about whether a material weakness exists,” he says. “It’s not as direct as an auditor attestation, but it indirectly relates to management’s deliberations around whether or not there is a material weakness.”

DeLoach

The recent Audit Analytics study also called out some data suggesting the causes behind material weakness disclosures can vary depending on the audit firm handling the audit. Deloitte, PwC and KPMG, for example, flagged control problems related to revenue recognition, but Ernst & Young flagged none. KPMG, on the other hand, focused on accounts and loans receivable, investments, and cash issues in 40 percent of the errors it called out. PwC and E&Y called out fewer such concerns and Deloitte & Touche reported none.

Ueltschy says such disparity could result from different audit approaches or areas of emphasis among the major firms. “Depending on how a firm articulates a particular area of emphasis, you may end up with higher exception rates in a particular area in a particular year,” he says.

Gazzaway, however, says the firms collaborate on their audit views to try to assure they’re on the same page; he believes the differences can be attributed to differences in audit clients. KPMG, for example, has a higher concentration of clients in financial services, so it would make sense that it shows the highest rate of problems with accounts and loans receivable, he argues.

Whatever the causes, DeLoach cautioned companies not to rejoice at any clean Section 404 report they may produce. “Both management and auditors need to be vigilant about change in the current environment,” he says. In light of significant personnel shifting, economic pressures, increasingly complexity, changing accounting standards, and an eye on international standards, “all of these contribute to control breakdowns,” he says. “Vigilance needs to be the order of the day going forward.”