Report: More Late Filings, But Fewer Weak Controls

Early analysis of Year Two internal control reports indicates the number of companies that can’t meet deadlines to file their financial statements may be rising, but fewer companies are reporting problems with internal controls.

In a recent study of the companies Moody’s Investors Service follows to establish credit ratings, 75 companies that reported on their internal controls for the second time reported material weaknesses—down from 117 in the first year of compliance with Sarbanes-Oxley in 2004, when large companies had to begin reporting on the effectiveness of their internal controls over financial reporting. The analysis also showed the number of delinquent filers rose from 21 in 2004 to 29 in last year, with 11 companies filing late in both years.

“Show me a delinquent filer in the prior year and I’ll show you a company that likely has ongoing reporting problems”

—Gregory Jonas, managing director, Moody’s Investors Service

Moody’s says delinquent filers account for 18 percent of reported weaknesses within its study group, while problems with income taxes account for 16 percent of reported weaknesses. Other big problem areas were ineffective accounting personnel and pervasive ineffective processes, according to Moody’s.

The latter two problems reflect a lack of investment by those companies in establishing staffing and processes that can support effective controls. “Section 404 reports are bringing attention to this problem, which has inspired companies to reinvest in the accounting functions,” Moody’s said in its report.

The study looked only at companies Moody’s rates, which tend to be larger companies with more sophisticated finance operations. The study also considered only companies with a calendar year-end, which faced a March 31 deadline with the Securities and Exchange Commission to file year-end reports.

The report generally echoed the findings of a study published by Compliance Week in April, which analyzed the 10-K filings of nearly 300 Dec. 31 year-end filers that had more than $1 billion in revenue and were in Year Two of compliance with Sarbanes-Oxley. According to the Compliance Week study, only 2 percent of companies rated their internal control over financial reporting as ineffective. (See "Effective Controls Rule The Roost" in box at right.)

Two Buckets

To establish credit ratings, Moody’s tracks internal control reports to determine how serious a company’s financial reporting problems might be. In general, it downgrades a company’s debt rating if the company reports control problems that Moody’s considers to be pervasive, if it shows ongoing problems with reporting, and if its current rating doesn’t fully reflect any kind of uncertainty about potentially misleading financial statements.

Moody’s says its greatest concern is with companies that can’t get reports filed on time. “Show me a delinquent filer in the prior year and I’ll show you a company that likely has ongoing reporting problems” either because they’re remaining delinquent or they’re still reporting material weaknesses, says Gregory Jonas, managing director for Moody’s. “A big majority of delinquent filers fell into one of those two buckets.”

Ten Eyck

Ernest Ten Eyck, a former assistant chief accountant at the SEC and now senior managing director at consultancy FTI, says delinquent filers have long been associated with serious control weaknesses, even well before Sarbanes-Oxley raised control concerns. He prefers to focus on the drop in companies reporting material weaknesses, which he sees as evidence the new reporting system under Section 404 is working.

“It forces registrants to look for problems rather than wait for something to go awry,” he says. “Audit committees are a major element of that discipline. Most now get it, and are holding the feet of both management and internal audit leaders to the figurative fire.”

Moody’s says it’s also concerned that internal control reporting is almost silent on fraud. “For the second year running, we are seeing very little about fraud controls,” Jonas says. “If you think about why we got 404 in the first place, senior management tried to cook their books and got away with it, temporarily. Then 404 says you need to be focused on controls to prevent fraud, yet only a handful of companies reporting problems mention fraud.”

WEAKNESSES

Number of weaknesses reported by Moody's.

2005

2004

Delinquent Filers

29

21

Category B Weaknesses

30

38

Category A Weaknesses

16

58

Moody's Investors Service (May 2006)

Jonas compares the current control environment around fraud to a doctor telling a patient after a heart attack that he also has high blood pressure: It might have been an indicator of potential problems had it been discovered earlier, but now the problem is being discovered only after the fact.

“We got 404 because of fraud, and yet we’re seeing very little in control reports about fraud,” Jonas says. “I would think fraud-related controls would try to ensure senior management can’t override their control systems. There’s got to be something companies can do to prevent managers from top-sided entries and other things we’ve seen.”

Detective, Not Preventive?

James Tholey, managing director with Accume Partners, agrees there’s more companies can and should be doing to assure investors they’re preventing fraud from occurring. “We’re not seeing reports about fraud because it’s a secondary consideration,” he says. “Most people are using a check-box mentality. I’m hearing a passive, reactive approach as opposed to an active methodology.”

Tholey

Tholey says companies need to meet with process control personnel, and try to think like someone who might be contemplating a scam. “If I had adverse intent, how would I work around these controls?” he says. “People don’t want to think fraud can happen here, so it won’t happen here. We have to talk about how to beat the system. How could we scam the company? Criminals do just that. They think about where the gaps are and they attack the gaps.”

The problem, according to Jonas at Moody's, is that internal control reporting, like financial reporting, is “very much backward-looking. It’s not preventive in nature; it seems to be detective in nature.”

Selling

Thomas Selling, a financial reporting consultant and adviser to the Association of Audit Committee Members, says he finds after-the-fact reporting to be a letdown in 404 reports. “Numerous independent corporate watchdogs rate corporate governance structures, with many companies rated very low,” he says. “Yet, the data indicates auditors still delay warning that a fraud could occur until one actually does.”

Randy Marshall, managing director for Protiviti, says that may be an unrealistic expectation of what 404 can or should achieve. “Discussions around the potential for misstatement are clouded in judgment,” he contends. “It’s easier and clearer to report to specific facts: Here’s where there was an error. In the simple world, it would be nice to know all of these problems in advance, but I’m not sure that’s reality.”

Jonas adds that Moody’s would love to attach a price tag to reported material weaknesses, to help establish the so-far elusive cost-benefit equation on what Section 404 reporting is achieving in the market—but, he says, too many hard-to-measure factors cloud that picture. He’s hopeful further study may help.

The Moody’s report, as well as related resources and Compliance Week coverage, can be found in the box above, right.