Questions I sometimes ask students in risk and control assessment training workshops to illustrate the concept of residual risk tolerance include:
How many of them have broken a car speed restriction law in the past three months?
How many have broken a speed law more than five times over the past three months? More than 10 times? More than 80 times?
How many were caught speeding during that time, and how big was the fine or penalty?
Answers from internal auditors, operational risk management specialists and external auditor partners are very consistent; most people in the workshop to varying degrees break speed limit laws. Few get caught and virtually none suffers penalties proportionate to their financial circumstances. It doesn't seem to matter whether the workshop is in the Asia/Pacific region, Europe or North America. Some students regularly break the speed laws to a significant degree, while others tend to lean to moderate or low levels of illegality.
Parallel Questions
In July 2002 the Sarbanes-Oxley Act was passed in the US establishing the stiffest corporate governance rules so far seen anywhere in the world and setting specific expectations for firms whose shares are traded on US stock exchanges.
Section 302 of the Act requires chief executives and chief financial officers -— CEOs and CFOs — to certify they have effective systems of internal control related to external financial disclosures, and that they have effective systems to notify both the external auditor and their audit committee when significant control deficiencies are detected in these systems. Section 404 requires a firm's external auditor to report on the reliability of management's assessment of internal controls.
Important questions related to sections 302 and 404 that parallel the questions asked of my students include:
How ineffective can my systems be before I can't claim they are "effective"?
How many and what type of control deficiencies can I not report to my external auditors and audit committee and still be OK in the eyes of the US stock market watchdog, the Securities and Exchange Commission (SEC), and the civil courts?
Will the SEC and civil courts have high, medium or low tolerance for non-compliance?
Will tolerance levels for violations and/or weak support for control effectiveness assertions be consistent, or will examples be made of certain CEOs and CFOs to send a message?
In part, these are legal questions that lawyers will grapple with when advising their clients. Lawyers will use cases that have been decided by the SEC and the courts in the past and their knowledge of the general legal standards of "duty of care" and SEC enforcement actions to provided advice. However, there are also complex technical issues involved that must be understood to provide defensible answers.
Although these are serious and difficult legal and technical questions that deserve lengthy examination and dissertations from control theorists, forensic accountants and legal experts to do them justice, here are some of the key issues:
What Constitutes An Effective Internal Control System?
In early July, on my way to my cottage north of Toronto, Canada, I set my car's speed control at 120 kilometers per hour, or 75 miles per hour. There may have even been a few instances where this upper limit was exceeded, mainly for reasons of safety and courtesy. The trip was uneventful, despite passing two or three police cruisers with radar equipment. Apparently, at least on that day, 120 km/hour was a tolerable illegality, even though the speed limit was 100 km/hour.
In the case of sections 302 and 404, the key tolerance questions are:
How will CEOs and CFOs decide whether their external disclosure control system meets the definition of being an effective system? How many and what type of control deficiencies are acceptable?
How will a company's external auditor decide whether they agree or disagree with the opinion reached by the CEO and CFO when forming their section 404 control effectiveness opinion?
How will the SEC decide whether the decisions reached by CEOs and CFOs and their external auditors related to what constitutes an effective control system are right or wrong?
How will the SEC and courts decide penalties when they have decided the CEO/CFO assertion, and the related opinion by the external auditor, are wrong or inadequately supported?
What Constitutes A Reportable Control Deficiency?
The Sarbanes-Oxley Act says "significant control deficiencies" must be reported to a company's external auditor and audit committee.
Using my speed transgressions as an analogy, how will external auditors and the SEC decide that a control deficiency, of which there are usually hundreds or even thousands in most companies, individually or collectively cross the line from being just one of many control deficiencies to being a "significant control deficiency?"
If a company's external auditor must regularly require adjustments to the company's accounts and notes prior to release, is this evidence by itself that company has significant control deficiencies?
If external auditors routinely conclude a company's controls are not very reliable and substitute high levels of year-end account testing to compensate for their lack of reliability (as has been done by external auditors all over the world over the last decade), is this evidence of one or more significant deficiencies in control systems?
How Will Punishments Be Levied For Violations?
While I was driving to a business meeting in June I noticed a large sign after I crossed the Ontario/Quebec border that posted penalties for various levels of illegality.
For exceeding the speed limit by 10 km/hour, the fine was $100 (US $74), and $200 for exceeding it by 20 km/hour. Going over the limit by 30 km/hour earned demerit points, and 40 km/hour meant license suspension.
SEC Commissioner Cynthia Glassman provided in September last year some insight into the SEC's sentencing guidelines:
"... if you need another justification to sell the idea of good corporate governance, I would point out that the Commission takes seriously the pronouncements made in our Section 21(a) report on the "Relationship of Cooperation to Agency Enforcement Decisions." In the report, the Commission noted that one factor we will look at is whether the company took seriously its obligation to detect fraud. Obviously, no system of controls can prevent all misconduct; however, if a company can demonstrate that it has satisfied its obligation to implement good procedures, then in my eyes it has a significantly better chance of receiving leniency (assuming the other criteria set out in the report are met). In short, if you are looking for leniency you had better be able to show that you cared about preventing corporate misconduct before you discover that it occurred.
This suggests that if a company does make unreliable disclosures, it had better have a very persuasive story about how much effort it put into preventing the release of incorrect information to external parties.
On the enforcement front, The Accountant Compliance and Enforcement Staffing Act of 2003 came into force in early July. The law clears the way to speed SEC hiring of an additional 800 enforcement staffers. Other indicators strongly suggest the SEC enforcement teams are looking for some high profile cases to publicize that they are serious about enforcing the new U.S. corporate governance regime.
This suggests that the probability of getting caught violating the law will increase exponentially over the next few years because of more and better quality enforcement staff.
When Will The Tolerance Limits Be Clear?
Just as police are sometimes told by their top brass how to decide when to enforce laws and with what level of vigor, U.S. exchange listed companies can expect that 302/404 expectations will be clarified over the next year as the starting dates for Section 404 external audit certifications gets closer. Those start dates are June 15, 2004 for most large U.S. companies and April 15, 2005 for smaller companies and foreign firms.
CEOs and CFOs are already asking their lawyers and external auditors, how much "over the speed limit" can their company go and still be OK?
Most external auditors are correctly advising clients that they don't know with any certainty the answer because the new Public Company Accounting Oversight Board, which polices the accounting industry, has not issued guidance on the auditing standards to be used in forming Section 404 external audit opinions. Opinions from securities lawyers, if given at all, are almost certainly hedged with numerous caveats.
The honest answer to the question of what legally constitutes an "effective external disclosure system" and a "significant deficiency" is that nobody — even experts who have practiced in the internal controls assessment area throughout their professional careers — knows the answer yet ... not even approximately. There needs to be clearer guidance from the SEC, detailed guidance from the PCAOB, and some high-profile enforcement actions and lawsuits before even semi-clear, defensible answers to these question begins to emerge.
Meanwhile, CEOs and CFOs are already making Section 302 assertions stating their external disclosure controls are effective, despite their internal audit departments and external auditors often disclosing hundreds, or even thousands, of internal control deficiencies. External auditors have often required major adjustments to the accounts before financial statements were released in 10K and 10Q filings. Many companies have issued major restatements of prior period financial statements.
It is important to note that many of the CEO and CFO effectiveness representations made in 10Q filings in 2003 have limited support to validate them, particularly in smaller listed companies. Executives at HealthSouth, a recent massive corporate governance disaster, asserted in their 10Q filings they had an effective system of internal control — this despite the accounting disclosures that have since been proven wrong by billions of dollars.
Where Will The Tolerance Line Be Set For U.S. Listed Companies
The question "where is the tolerance line for Section 302 and 404 representations?" should be of great interest to all public companies, whether listed in the U.S. or elsewhere in the world.
Formal and informal guidelines that provide guidance on what constitutes "effective" and a "significant control deficiency" in the U.S. will emerge over the next two years.
Other countries may adopt these interpretations and reporting approaches.
Securities regulators around the world, legal and audit advisors, and CEOs and CFOs should pay close attention to these formal and informal tolerance rules. No one likes getting fined or sent to jail — particularly for an infraction one thought was acceptable.
In the meantime, drive with caution or risk being made an example to deter others.
This column solely reflects the views of its author, and should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented. The column was written originally for publication in the July issue of Global Risk Regulator.
No comments yet