Last year I began teaching my 16 year-old
daughter to operate our 205 horsepower
pleasure craft.
During my newboater
indoctrination sessions, in addition
to covering requirements such as running
the motor compartment exhaust fan for
four minutes prior to starting the engine,
operating the boat’s navigation lights and
learning on-water navigation rules, I took
Morgan on a tour around our lake to point
out rock shoals that are either partly or
totally submerged.
These shoals can cause
serious harm to unwary boaters. Some of
these shoals are marked with buoys and/or
lights, some better than others. Others, like
a number of rock shoals around our cottage,
aren’t marked at all.
This month I am taking readers on a tour
of some of the nastier “shoals” capable of
causing considerable harm to unwary companies
that must comply with Sarbanes-Oxley, and in
particular sections 302 and 404 of the law.
Failure to avoid the shoals could
lead to the next generation of corporate
shipwrecks.
Section 302 requires a firm’s management
to take steps to satisfy themselves their
systems and controls are reliable. Under
section 404 the firm’s external auditors
must report on the reliability of management’s
assessment of the controls.
Beyond the hazards discussed in this article,
it is highly likely that there are even
more SOX 302/404 submerged shoals that
will only become known after some companies
run aground and sink – an event
best avoided.
Here are some important SOX
302/404 hazards:
Procrastinator Rocks
A survey released by IBM in October shows
that only one in 10 US chief financial officers
and financial executives view their
internal controls as compliant with SOX
404.
What is fascinating is that all these
companies are already making control effectiveness
representations under SOX 302.
The vast majority of these companies continue
to get clean audit opinions from their
external auditors. This reminds me of playing
poker with a not very good hand, but
you bluff and bet anyway hoping your opponents
won’t call you.
In the case of SOX, the
risk is that some of the companies that
aren’t ready may have a big disclosure problem
before they have demonstrable support
for the SOX 302 control effectiveness representations
they have been making religiously
each quarter.
Negligence charges
against the poker players and their external
auditors will be quick to materialize.
Conflict Shoals
In many companies, external auditors have
played major roles in helping to calculate
tax provisions, deal with commodity tax
issues, interpret complex accounting rules
and often to propose major accounting
entries.
If you were to ask one of these
companies what’s the main control used to
ensure these things had been done correctly,
the answer in most cases would be that
they hired their external auditor to help
them.
In other words, they view the external
auditor as their key control in these
areas. Under SOX 404, these same external
auditors will be asked to give an opinion on
the effectiveness of controls over external
disclosure items, including tax provisions,
interpretation of generally accepted
accounting principles, commodity tax, intercountry
transfer prices.
In essence, external
auditors will be giving an opinion their own
effectiveness as a key control – a breach of
most auditor independence principles.
Wrong Focus Light
When confronted with potentially dangerous
situations, people often fall back on
strategies used in the past to deal with
similar events. This holds true even when
the strategies have consistently failed.
With
SOX 302/404 many companies and their
external auditors are currently focusing
90 percent of their assessment efforts documenting,
assessing and testing controls
that have historically been responsible for
less than 10 percent of the financial disclosure
fiascos.
This is because it’s relatively easy to
start flowcharting and documenting
accounting processes and control points.
What’s often not done is to identify the
top 50 or 100 most common reasons why
companies have issued wrong or fraudulent
financial statements in the past – and
then working out the odds of those situations
happening in-house.
Adverse Tidal Flow On
Standards
Current interpretations of SOX 302/404
by the Securities and Exchange
Commission and the new Public Company
Accounting Oversight Board
encourage companies to use the now very
dated 1992 version of the Committee of
Sponsoring Organizations (“COSO”) control
framework as the foundation for CEO
and CFO SOX 404 control effectiveness
reports.
This is akin to reverting to using
the 80486 generation of computer processors
that was state-of-the-art in 1992.
Other generally accepted control frameworks
that can be used for SOX 404, such
as the Canadian CoCo model and the UK
Cadbury framework, are slightly newer
than the vintage ’92 COSO model. But
they still date back to the mid-1990’s.
To
achieve value from this exercise, and
increase the chances of preventing serious
problems in the future, companies should
use the principles in the new COSO ERM
(Enterprise Risk Management) Framework
released in exposure draft in July and
expected to be finalised in February 2004.
Companies should be strongly encouraged,
or even forced, to use the newer generation
of assessment methods. The new approaches
focus first on documenting end-result
objectives and then on identifying and
measuring the risks to those objectives.
Only after those two steps have been documented
should the controls mitigating the
risks be documented, together with the
residual risks remaining.
Beneaped After Missing The
Point
My talks with companies large and small
suggest many are focusing almost exclusively
on assessing the accounting processes
that feed the income statement and balance
sheet.
This fails to recognize that SOX
302/404 covers all aspects of a company’s
external financial disclosures.
In addition to
accounting line item disclosures, steps must
be taken to document the risks and controls
related to financial statement note disclosures,
supplemental disclosures required
in 10K (annual report) and 10Q (quarterly
report) SEC filings and the reliability of the
management discussion and analysis sections.
Foul Ground At Material
Weakness
Many companies have had control weaknesses
that fit the proposed definition of a
“material weakness” for decades.
The auditing
standard proposed in October by the
PCAOB for SOX 404 work defines a material
weakness as something which “by itself
or in combination with other internal control
deficiencies ... results in more than a
remote likelihood that a material misstatement
in the company’s annual or interim
financial statements will not be prevented
or detected”.
One only needs to look at the number of
financial statements and restatements being
filed, and the number of restatements in the
past, to conclude many companies have had
material weaknesses.
Many companies have
scores of serious internal auditor “concerns”
that have never been rectified.
In many companies, external auditors routinely
insist on significant accounting adjustments
before they sign-off on the accounts.
Sometimes the adjustments are to fix the
“Gee I had no idea – this comes as a big
surprise to me!” type problems.
In other
situations, entries related to a strategy by
senior executives to “push the envelope”
and see how far their external auditor
would go before calling a foul.
The PCAOB
now says evidence of persistent gaming of
this type indicates immediately that there is
a material weakness in control systems – a
weakness that has been around for years.
Pilot Error
The PCAOB’s SOX 404 exposure draft
proposes for the first time that external
auditors “evaluate factors related to the
effectiveness of the audit committee’s oversight
of the external financial reporting
process and internal control over financial
reporting, including whether audit committee
members act independently from management.”
Simply put, the external auditor will be
asked to say whether the audit committee
of a company is competently fulfilling its
oversight responsibilities.
It’s well documented that ineffective audit
committees have been at the root of many
of the biggest corporate disasters. So one
must assume that if this requirement stands
we can expect that:
A great many audit
committees will have to improve their
composition and performance substantially;
A large number of audit committees will
be classified as a “material weaknesses”;
Some external auditors will refuse to
report them but issue clean reports anyway.
The irony is that SOX makes it clear that
the audit committee should play a key role
selecting and overseeing the work of the
external auditor — the same external auditor
that is being asked to opine on the quality
of audit committee oversight.
External
auditors may soon be faced with hundreds
of serious ethical dilemmas and with having
to decide whether they ought, as the
expression goes, to bite the hand that feeds
them.
Independent Bearings
Many companies have relied on external
auditors to identify and fix problems in the
accounting statements.
Sometimes this is
because the company doesn’t have appropriately
qualified and experienced staff.
Sometimes it’s because of major control
breakdowns. Sometimes it’s because executives
in subsidiaries are getting overly
aggressive in their interpretation of the flexibility
in generally accepted accounting principles.
A simple question I encourage audit
committees to ask is: what significant
accounting entries were made, if any, after
management prepared the accounts for
review by the external auditors?
According
to the draft PCAOB SOX 404 audit standards,
it will be prima facia evidence of ineffective
controls if the answer is that quite a
few big adjustments were made.
If this interpretation
holds, it will severely curtail the
“catch-me-if-you-can” approach to profit
manipulation and income smoothing.
High Chance Of Running Aground
Every day people all over the world break
speed laws, violate municipal ordinances,
drink under-age, steal copyright protected
music over the Internet, break copyright
laws, and commit countless infractions
without suffering any consequences.
Managing corporate profits by playing games
with the external auditors has been a time-honored
tradition in countries around the
world.
The new rules being proposed by the
PCAOB suggest that this game, as least in
the form that it has been practised in the
past, will have to come to an end.
However, as the expression goes, talk is
cheap. A number of legal analysts have
already pointed out that although the SEC is
hiring large numbers of new staff, no similar
resources are being provided to the federal
prosecutors necessary to take real, serious
enforcement action. External auditors, co-conspirators
in more than a few cases, have
been assigned the primary role as chief
enforcer and reporter, a role they have
struggled with in the past and failed at in
scores of situations.
Time will tell if there is
a real will on the part of the SEC, the
PCAOB and external auditors to change the
rules of the game. What companies and
their advisors need to keep firmly in mind is
that there is a very real probability that the
new sheriffs in town want to hang at least a
few wrong-doers in the town square.
This column solely reflects the views of its author, and should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented. The column was written originally for publication in the November issue of Global Risk Regulator.
No comments yet