The fact that hundreds of companies came clean about potential internal control problems as the Sarbanes-Oxley Section 404 deadline approached isn’t terribly surprising. What is surprising, says one researcher who recently analyzed the disclosures, is that most of those companies had said not too long before that their internal controls were effective.

Among 366 companies that received a qualified opinion on the effectiveness of internal controls through May 2, 2005, 94 percent had previously certified their controls as effective as recently as the quarterly filing previous to the SOX 404 annual report. According to a report by proxy research firm Glass, Lewis & Co., the data suggest that the certifying officers of the companies “were using a rubber stamp to certify the effectiveness of internal controls prior to SOX 404.”

Similarly, Glass, Lewis had reported back in April that 87 percent of companies that disclosed control deficiencies in the first three months of 2005 previously certified their controls as effective as recently as the quarterly filing before the revelation of a control deficiency.

“In general, there were a lot of new disclosures of control deficiencies from companies that hadn’t said anything before,” noted Leah Townsend, the Glass, Lewis research analyst who wrote the report on control deficiencies. Townsend said many of those CEOs and CFOs had earlier reported that their internal controls were effective under the requirements of Section 302, which became effective on Aug. 29, 2002.

“Nearly every one of the companies that reported a deficiency under 404 had previously signed off on the 302 certification that their internal controls were operating effectively, said Townsend. “It could mean that maybe they weren’t even testing their controls and they just signed off.”

Leech

“Many companies had these problems for years and executives have continued to say they have effective control systems,” noted Tim Leech, principal consultant and chief methodology officer for Paisley Consulting. “The reality is that thousands of executives made these claims with not only limited support, but contradictory evidence.”

According to the Glass, Lewis report, the sheer volume of deficiencies disclosed during 2004 and the first four months of 2005 indicates that “the waters of financial information are murky.”

Keeping It Fresh

As the May 2, 2005 deadline for independent auditors to attest to the effectiveness of those controls drew near, the number of companies disclosing internal control deficiencies soared. In 2004, 462 companies disclosed internal control deficiencies. Another 642 companies reported various internal control deficiencies through the first four months of 2005. Of the 1,104 companies that disclosed deficiencies between January of 2004 and May 2, 2005, 81 percent concluded the deficiencies rose to the level of a material weakness.

“The disclosures were across the board—it wasn’t one particular group of companies. They were across all industries, all company sizes,” said Townsend. “That shows that maybe financial statements weren’t in as good condition as investors originally thought. Maybe there are more cracks where errors could happen.”

Given the findings, Townsend and others said companies ought to be focusing on improving their disclosure processes. “If [companies] have a problem, they should disclose it sooner rather than later, and include lots of detail about the problem, their plan to fix it, and a timeline for remediation,” said Townsend.

DeLoach

James DeLoach, managing director at compliance and risk consulting firm Protiviti, agrees. “One of the most important things for every company to focus on going forward is to make sure their disclosure process is very sensitive to change. For SOX to work, the disclosure process cannot go stale,” said DeLoach. “If there’s one issue I’d say every company has to get their finger on, that’d be the one.”

DeLoach said companies must take care to make their disclosure process is sensitive to changes in personnel, systems, new regulations, new accounting pronouncements. “Certifying officers need to be satisfied that when there’s a change in the organization that the controls and procedures in place identify the change timely, so the appropriate action and possible disclosure can be considered.”

The analysis found that the 899 companies that disclosed material weaknesses reported 1,464 types of deficiencies, but the actual number of deficiencies was even greater because multiple deficiencies may have related to only one category, according to Glass, Lewis.

More than a third of the material weaknesses (36.3 percent) were in financial systems infrastructure or review procedures, while personnel issues were the second most common type of material weakness at 23.2 percent. Both types of weaknesses can have a potentially significant impact on the financial statements, according to Townsend. “If companies don’t have the right people in place, or the right computer systems, it can affect everything.”

However, the severity of such weaknesses can be difficult to judge, because Townsend noted that a lot of companies didn’t provide much detail on the problems with their financial systems. “Some companies provided more detail about their control deficiencies but didn’t say how they were going to fix them,” she said. “If a deficiency is disclosed for an annual filing, the auditors won’t put out another opinion until there’s another annual filing. In the meantime, we don’t know if that control deficiency is causing errors, or is allowing errors to go undetected,” said Townsend.

Market Reactions; Looking To Year Three

While the Glass, Lewis analysis measured market reaction to the control deficiencies disclosures, Townsend said it’s too soon to tell how the markets will treat such disclosures. “On average, there was generally a decline when there was a deficiency disclosure,” said Townsend. Companies reporting a control deficiency experienced a stock decline of 2.8 percent on average over the next 30 days. The stock price of companies reporting a material weakness between Jan. 1, 2004, and May 2, 2005, declined 0.9 percent more than the market seven days after announcing the deficiencies.

STOCK PRICE MOVEMENT

The table below, reprinted with permission from Glass, Lewis & Co.'s "Control Deficiencies—Finding Financial Impurities," represents average stock price movement from seven days before announcement relative to market.

Type

1 Day After

7 Days After

30 Days After

60 Days After

All Deficiencies

-0.72%

-0.81%

-1.50%

-3.02%

Material Weaknesses

-0.67%

-0.90%

-1.96%

-4.06%

Qualified Opinions

-0.23%

-0.66%

-2.30%

-3.56%

Qualified Opinions—No Warning

-0.04%

-0.16%

-2.49%

-3.94%

Source: Glass Lewis, FactSet. Note: Averages include companies over $75M in market capitalization.

But Townsend also notes that the market reactions have been all over the map, and that no specific trends have emerged to predict future stock performance. “There were so many [disclosures] coming out for the first time. You can tell from the histograms, the reactions were all over the place. It’s something that has to be evaluated on a company by company basis,” said Townsend.

DeLoach at Protiviti agrees. “For most of the disclosures, the market reaction has been muted,” he said. “So long as the control weaknesses have not pertained to control environment and other pervasive issues that raise questions about management and management’s ability to perform, I think the market’s reaction has been somewhat muted.”

“If there’s anything we’ve learned over the last year, it’s that the key to the game is timely disclosure and disposal of issues,” said DeLoach. “The market respects the management group that gets its finger on an issue, is transparent in disclosing it and disposes of it.”

DeLoach said the Glass, Lewis findings are consistent with what his company is seeing among its public company clients. But for the companies, when it comes to control deficiencies, he said, “what companies are concerned about generally is more about the costs of the compliance process than anything else.”

“The biggest challenge companies have is how to take a longer term view to transition the compliance activity from a project to a cost effective process,” said DeLoach. “Companies are still really being highly reactive. They’re continuing to stay in project mode and can’t break through the logjam and start taking a longer term view of how to increase the robustness of their internal controls and get more value out of the process.”

A July 12 Compliance Week article noted that SOX 404 compliance was not getting any cheaper in “Year Two,” and DeLoach agrees that resources and short-term issues are contributing to the problem. “That’s why they’re saying Year Two will be just like year one: a resource drain,” said DeLoach. “Companies need to start thinking longer-term. They need to start thinking about what organization structure they need to have in place to facilitate ongoing compliance and to drive value out of the process by making the internal controls and financial reporting processes more efficient and more effective.”

Then, DeLoach said, companies must determine how long creating that structure is going to take. “Based on the answer to those questions, they need to build into their Year Three budgets and business plan the steps they need to take. If they don’t think about what needs to be done and factor it into their plans and budgets, nothing happens. That why nothing happened this year,” he said.

Topics