SEC Curious About Drop in Material Weaknesses

Staff at the Securities and Exchange Commission are beginning to wonder whether an impressive drop in the number of disclosed material weaknesses is really due to better internal control environments—amid the most horrendous economic climate in 80 years—or is a case of companies and auditors failing to identify where weaknesses truly are.

Speaking earlier this month at a national conference of the American Institute of Certified Public Accountants, SEC professional accounting fellow Doug Besch said the number of registrants reporting material weaknesses has plunged, “despite what has arguably been one of the most challenging financial reporting environments of recent times.”

Only 4 percent of registrants reported material weaknesses in the fiscal year that ended on Sept. 30, Besch said. That compares to 7 percent in the prior year, and 16 percent in fiscal 2004, when Sarbanes-Oxley compliance started to grip Corporate America for the first time.

Perhaps, Besch said, registrants have indeed addressed previously reported weaknesses and improved their internal controls so much that they can withstand the current recession. Or, “another skeptical view is this trend could also be due to material weaknesses not being identified or reported,” he said.

Besch gave another statistic: In that same five years that the number of companies reporting weaknesses fell, the number of weaknesses arising from corrections or year-end audit adjustments rose—from 55 percent in 2004 to 75 percent this year. “This indicates that the correlation between the reporting of a material weakness and the existence of a material adjustment continues to increase over time,” Besch said.

How so? One reason might be that registrants and auditors may not conclude there are material weaknesses in internal control over financial reporting unless they identify a material adjustment, Besch said. And if that’s true, then “other questions are raised, such as whether the material weakness existed in a prior period, whether all material weaknesses were disclosed in the current period, whether material weaknesses in monitoring or risk assessment should have been reported, and whether previously identified deficiencies were appropriately evaluated for severity,” he said.

“It’s fair to say risk management has improved over the years. Sarbanes-Oxley is embedded into organizations.”

—Gary Sturisky,

Global Practice Leader,

Jefferson Wells

Besch ruffled the feathers of auditors and other internal control aficionados, who generally say that the drop in material weaknesses comes from better, more mature SOX compliance efforts.

“It’s fair to say risk management has improved over the years,” says Gary Sturisky, global practice leader for risk advisory services at consulting firm Jefferson Wells. “Sarbanes-Oxley is embedded into organizations.”

Sturisky notes that in the early years of SOX compliance, companies had plenty of deferred maintenance on internal controls to do, and they had more conservative views on how to define and report material weaknesses anyway. “It doesn’t surprise me that the number of material weaknesses has declined,” he says. “I wouldn’t view that as a negative. It means the objective is being achieved.”

Dohrer

Bob Dohrer, national director of assurance services at auditing firm McGladrey & Pullen, says the drop in weaknesses could also be explained by the demise of Auditing Standard No. 2 in 2007. The always-unpopular AS2 had required extensive testing even at the lowest levels of the financial reporting process. Its successor, Auditing Standard No. 5, uses a more top-down, risk-based approach.

KEY CONTROL QUESTIONS

Below is an excerpt of the speech delivered by SEC Professional Accounting Fellow Doug Besch, outlining what questions companies should ask about their controls:

Test of Control Design Considerations

Registrants and auditors have a responsibility to evaluate the ICFR implications of changes to accounting requirements. A few areas that warrant special attention are changes to the requirements for business combinations and changes to revenue recognition for multiple-deliverable arrangements. Although not all inclusive, a critical assessment of the design of controls in these areas might raise questions such as the following:

Business Combinations

Have risk assessment or other controls been implemented throughout the entity to identify transactions that could require business combination accounting in the future as a result of the change in the definition of a business combination, such as the acquisition of a development stage entity or gaining control through contractual rights or the lapse of veto rights?

Do personnel responsible for reviewing significant accounting conclusions and authorizing or reviewing manual journal entries continue to possess the knowledge necessary to detect material misstatements given the changes in business combinations accounting?

Do controls exist to mitigate the risk that the registrant may not identify all of the effects that the changed definition of a business may have on other areas of accounting, such as components that were not previously considered reporting units because they were not considered businesses as previously defined in EITF 98-3?

Multiple-Deliverable Revenue Arrangements

Do controls exist to address the risk that estimated selling price is inappropriately used to determine the value for each deliverable when vendor-specific objective evidence or third-party evidence exists?

Are risk assessment and monitoring controls designed to identify circumstances that require updates to estimates of vendor-specific objective evidence, third-party evidence of fair value, or estimated selling prices for each similar type of arrangement?

Have processes and controls been implemented to identify and accumulate the required quantitative and qualitative disclosure information, particularly those requiring the accumulation of information not typically contained within the accounting system, such as the general timing of delivery or performance of service and performance, cancellation, termination, and refund provisions?

These questions are brief examples of test of design considerations that are intended to demonstrate the types of questions registrants and auditors should think about when evaluating the design of controls to assess whether ICFR is effective.

Source

Doug Besch Speech on SEC/PCAOB Developments (Dec. 7, 2009).

“It could be that auditors and preparers are less likely to do a lot of the more rigorous and detailed testing at the control-activity level, which is where many of the material weaknesses reported were found” under AS2, Dohrer says. AS5’s allowance for outside auditors to rely more on the work of internal auditors may also have resulted in external auditors doing less direct testing of detailed controls, which might also explain the decline in reported weaknesses.

Dohrer does say that Besch raises a valid question when he points to the rising correlation between adjustments and weaknesses and then wonders whether that means weaknesses aren’t reported until they result in mistakes. But Wendy Hambleton, national director at auditing firm BDO Seidman, says she’s not surprised to see a jump in adjustments generally.

With companies facing tricky issues such as goodwill impairments, debt covenants, going-concern analyses, illiquid markets, and investment valuations, and new accounting rules governing many of those areas, “that’s an awful lot on their plate,” she says. “When designing controls, would they be designed to reflect the confluence of all those events of the past year?”

Because SEC staff took the time to assemble and explore the data, Hambleton says, companies and their auditors should see it as a warning. “Companies probably need to think about the fact that the SEC is focused on this issue,” she says.

French

Karin French, assistant national managing partner for Grant Thornton, says auditors do audit work throughout the year, not just at the end of a reporting period. As such, companies and auditors find and remediate problems before they rise to a level that compels or requires disclosure to the public. The weaknesses that are tied to adjustments tend to reflect year-end surprises that don’t get corrected before the reporting period ends, she says.

According to Besch, the majority of the regulatory and compliance effort around internal control looks backward at things that have already happened, rather than forward at things that could happen. So perhaps companies and their auditors should pay more attention to what could go wrong when testing the design of controls, he said.

As examples, he discussed how controls might be evaluated to assure companies are complying with new rules for accounting for business combinations and new rules regarding revenue recognition for bundled product offerings. To get companies and auditors thinking proactively, he fired off several questions that companies and auditors should consider to assure that their controls are effective over these emerging areas of accounting.

“Registrants and auditors … improve the overall confidence of investors by fulfilling their responsibilities to provide the increased transparency” about internal control over financial reporting, he said. “I encourage the profession to continue focusing on internal control over financial reporting to ensure the design of controls is evaluated appropriately and all material weaknesses are identified and reported.”