Companies continue to improve in their compliance with Section 404 of the Sarbanes-Oxley Act, even though smaller companies just entering the Section 404 realm have lots of ground to cover.

Large corporations now in their fourth year of compliance with Section 404—the nettlesome SOX requirement that companies annually assess their internal control over financial reporting and have external auditors attest to the controls’ effectiveness—continue to chip away at their deficiencies and weaknesses. According to a study by Audit Analytics, only 7.9 percent of accelerated filers reported adverse disclosures on controls last year, compared to 16.9 percent in 2005, the first year of Section 404 compliance.

(Under Securities and Exchange Commission rules, a SOX “compliance year” actually runs from Nov. 15 of one year through Nov. 14 of the following. So Audit Analytics’ survey examined annual reports filed from Nov. 15, 2007, through late September 2008, when the large majority of corporate reports had been filed.)

The data on smaller companies, however, paints a different picture. Non-accelerated filers—those with market capitalizations below $75 million—had to start reporting management’s assessment of internal controls for the first time last year. Among those who did, an eye-popping 30.7 percent confessed to problems. Most cited personnel issues, inadequate segregation of duties, and year-end adjustments—similar to what large filers reported when they first grappled with Section 404 in 2004 and 2005.

Whalen

“Initially, I was surprised by the number of adverse disclosures in the management-only reports, but when you look at the causes, it starts to make sense,” says Donald Whalen, director of research for Audit Analytics. For example, personnel and segregation of duties are classic problems for smaller companies, which often don’t have enough trained personnel to segregate various financial duties adequately.

DeLoach

Jim DeLoach, managing director at consulting firm Protiviti, says those types of failures jibe with what he sees in practice, too. “A lot of smaller companies have tended to rely on their audit firms for certain types of assistance,” he says. “Accounting documentation, policies and procedures, personnel resources, competency of personnel—sounds like a smaller company to me. It’s intuitively logical.”

DeLoach even wonders whether an “institutionalized material weakness” around segregation of duties will become an accepted fact for smaller companies. “They simply don’t have the resources to hire more people in order to satisfy the segregation of duties issue,” he says. “There’s going to be a lot of tension on that.”

AUDITOR ATTESTATIONS

The following key points were taken from the Executive Summary section of Audit Analytics’ study on 404.

1. As of September 10, 2008, the overall rate of adverse Year 4 auditor attestations has continued the steady declined.

In SOX 404 Year 1, when U.S. accelerated filers first provided auditor

attestations (in their annual reports for fiscal years ending on or after

November 15, 2004), the adverse disclosure rate came in at 16.9%.

Thereafter, each year experienced a decline in the percentage of adverse

auditor attestations. The Year 1 rate of 16.9% dropped to 10.3% in Year 2

and then to 9.1% in Year 3. (See graph on right.) Likewise, even if one

assumes that overdue filings will come in as adverse disclosures in the near

future, Year 4 is expected to end with an adverse rate of about 7.9%. (See

table on page 9: SOX 404 Auditor Attestations: Year 4 Update with Year 1,

Year 2, and Year 3 Adverse Opinion Comparison.) This incremental drop

from year to year suggests that the ICFRs of companies improve over time

when auditors are involved in the evaluation process.

2. When management-only assessment are added to the population of SOX 404 filings, the adverse percentage rate for

Year 4 increases to 17.9%.

So far in Year 4, the SEC has received 3,435 annual reports with management-only assessments. Of those disclosures, 1,053

provided an adverse assessment regarding ICFRs, an adverse opinion rate of 30.7%. The high percentage indicates that nonaccelerated

filers, which includes many 10KSB (small business) filers, fail to maintain ICFRs that are as reliable as accelerated filers.

When this population is added to the 4,012 auditor attestations opinions, the adverse percentage of the total population of 7,447

disclosures becomes 17.9%. (See table on page 10: SOX 404 Disclosures including Management Only Reports: Year 4 Update with

Year 1, Year 2, and Year 3 Adverse Opinion Comparison.) The percentage figures in this analysis do not assume that overdue

opinions will come in as negative because many recent 10KSB/As have declared effective ICFRs. (And, the failure to provide a

management assessment in the first instance is a SOX 302 failure, not a SOX 404 failure). Nevertheless, the adverse rate could rise

as amended annual reports are filed.

3. In Year 4, the adverse auditor attestations filed by first-time accelerated filers were up slightly as compared to the prior

two years. The addition of management-only disclosures more than doubled this adverse rate.

Analysis of the performance of first-time filers during the first three years of

SOX 404 showed that these filers became better prepared for the rigors of a

SOX 404 assessment as time passed. In Year 1, adverse opinions were

disclosed in 16.9% of the annual reports. In Year 2, the first-time filers were

better prepared and only 10.9% of disclosures revealed adverse ICFRs. This

pecentaged dropped yet again in Year 3 to 10.1%. However, even if a Year 4

analysis focuses on accelerated first-time filers (those that included an

auditor attestation with their first assessment), an increase in the percentage

of adverse opinions appears. In Year 4, adverse ICFR assessments were

disclosed in 12.8% of the auditor attestations from first-time SOX 404 filers.

(See table on page 11: Review of First-Time Filers by Year (Auditor Reports

Only).) If the Year 4 analysis includes management-only assessments, the

adverse rate increases to 28.0%. (See table on page 12: Review of First-

Time Filers by Year (with Management-Only Assessments).) This increase in the adverse rate is not surprising since non-accelerated

filers are smaller companies that would likely be less prepared for their first occurrence of a full ICFR assessment.

Source

Audit Analytics.

Whether such weaknesses will lead to adverse auditor opinions for small filers remains unclear; they won’t need to comply with the auditor-attestation clause of Section 404 until their first annual report after Dec. 15, 2009.

The Public Company Accounting Oversight Board recently published 60-plus pages of guidance specifically targeting auditors of smaller companies, to help those firms understand how to scale the internal control audit to the circumstances of smaller companies. The Center for Audit Quality has also published a diary of “lessons learned” from larger audit firms, meant to pass along what’s been established so far to smaller firms that may soon audit internal control for the first time.

Gazzaway

“We wanted to advance the learning curve for auditors that have never done an integrated audit before,” says Trent Gazzaway, a partner at the firm Grant Thornton who helped develop the CAQ guidance. “We worked through some of the lessons we learned in the integrated audit process [combining the audit of financial statements with the audit of internal control audit] with the goal of improving the efficiency of other firms.”

Among the most important lessons, Gazzaway says, is the significance of planning. “If you get the planning and coordination right on the front end, the rest falls into place,” he says. “You look at how a company assesses risk and you feed off that instead of creating your own risk-assessment process from scratch.”

The Restatement Quirk

The Audit Analytics data also reveals another interesting twist as Section 404 compliance continues to mature: The percentage of adverse audit opinions springing from restatements has dropped by more than half since large filers’ first year of internal control reporting.

DeLoach says that can partly be attributed to an overall decline in restatements. But equally important, it reflects increased use of judgment under Auditing Standard No. 5, he says.

When the PCAOB wrote its first standard governing internal control (Auditing Standard No. 2), a restatement was considered a strong indicator that there must be a weakness in internal control. AS5 replaced AS2 in 2007 and throttled back that view, giving auditors and management more flexibility to determine whether a restatement resulted from an internal control problem.

Gazzaway says he’s seen situations where companies had all the proper controls in place, but still made a wrong decision that led to a restatement. “You can’t always get it perfect,” he says. “When you look back at what the company did, you really couldn’t have asked them to do any more. If you can’t articulate what else they could have done, then the decision was reasonable.”

SOME OPINIONS

The following chart from Audit Analytics compares companies’ 404 opinions year to year.

Company

Yr. 1 Comparison: Percentage of Adverse 404 Opinions Filed First Year*

Yr. 2 Comparison: Percentage of Adverse 404 Opinions Filed Second Year

Yr. 3 Comparison: Percentage of Adverse 404 Opinions Filed Third Year

Ernst & Young

12.7%

6.0%

5.6%

PricewaterhouseCoopers

16.0%

11%

7.0%

KPMG

16.5%

10.9%

7.3%

Deloitte & Touche

17.3%

10.5%

11.3%

Grant Thornton

30.5%

12.3%

12.1%

BDO Seidman

35.3%

23.7%

12.3%

Crowe Horwath LLP

18.2%

2.4%

3.8%

McGladrey & Pullen LLP

15.0%

11.5%

5.6%

Regional & Local Firms (153)**

23.5%

14.2%

19.0%

* Year 1 and Year 2 Comparison values are obtained from prior research performed and published by Audit Analytics. (See Second Year 404 Dashboard, April 2007 Review , containing research as of February 12, 2007 and includes all filingsas of February 9.)

**In addition to the Big 4 and national firms, a total of 153 regional and local accounting firms signed section 404 internal control opinions in Year 4.

Source

Audit Analytics.

Tim Leech, a director at Navigant Consulting, says he doesn’t draw much comfort from data that says adverse internal control opinions or the number of restatements is on the decline. “Are the statements more reliable?” he asks. “One doesn’t necessarily lead to another. You can’t get better at giving a reliable opinion unless you understand why you gave an unreliable opinion. Nobody wants to tackle why restatements are wrong.”

Leech

Leech wonders if the decline in adverse opinions and restatements can simply be attributed to a relaxed regulatory approach. “The PCAOB has been told to lighten up,” he says. “Auditors have been told to lighten up because of the cost of the way they were doing it.” He believes management and auditors alike could learn much more if there were an inquest following adverse findings to determine what went wrong, but he speculates it’s not done because of fear of litigation.

The Audit Analytics report also provides some insight into which audit firms give the most adverse audit opinions. Ernst & Young, for example, issued the largest number of Section 404 opinions (978 of them), but recorded the lowest percentage of adverse ones (3.8 percent of that total). KPMG, on the other hand, issued only 691 opinions, but flagged 7.4 percent as adverse.

Whalen says that data is interesting, but not too instructive because it can be interpreted in different ways. “You could say the numbers reflect how thorough the auditors are, or you could say the numbers reflect how well the firm is helping its clients with internal control,” he says. “One has a negative implication, one has a positive implication, or it could be a mixture of both.”

The data could also reflect the nature of a firm’s clients, Whalen adds. KPMG, for example, has a heavy load of clients in the financial sector, which may be under heightened scrutiny because of the persistent financial crisis.

Websites

We are not responsible for the content of external sites

Topics