My eldest daughter came home from university for the holidays complaining loudly about her last business exam in management sciences. She claimed the exam had been ridiculously hard and didn't think she had done very well.
On the bright side however, she thought most of her classmates had also "tanked" the exam. The professor would probably have to apply a bell-curve approach — that is, base passing marks on the mean performance of the class rather than on an external standard — to improve grades or fail most of the class.
I still remember exams like that from my years in university in the 1970s ... some things in life don't change.
My daughter's claim — that most of the class would probably fail the exam if a strict grading system was applied — aptly sums up what might well happen to U.S. public companies, unless the "graders" are prepared to be very lenient.
But it's abundantly clear from early warnings from the Public Company Accounting Oversight Board, the Securities and Exchange Commission and at least one of the big four international audit firms — PricewaterhouseCoopers — that the corporate governance exam set by the Sarbanes-Oxley Act will be a hard one for the vast majority of public companies. So hard, perhaps, that the entire class will have to be placed on a bell curve and upgraded to achieve a respectable number of passes.
Chief executive officers and chief financial officers currently making claims in quarterly reports to the SEC that their companies have an effective system of internal control should take these warnings very seriously.
The clearer the generally accepted understanding of what constitutes "effective" control, the higher the risks both personally and corporately, of failing the SOX 404 exam.
Tough Standards
The SEC and the PCAOB have given every sign they intend to set extremely tough external disclosure control standards.
If the regulators maintain their current course and interpretation of SOX it is likely hundreds — even thousands — of companies will fail their Sarbanes-Oxley section 404 tests starting this year. (SOX 404, of course, requires a firm's external auditors to report on the reliability of management's assessment of the company's controls).
Perhaps even more disturbing is that many companies currently claiming effective controls each quarter will be contradicted by their external auditors starting in 2004 (if they haven't already). The consequences of a very high number of companies failing their external disclosure control effectiveness audit test are still largely unknown. But the penalties could include credit rating downgrades, increased insurance premiums, cancellation of D&O insurance, as well as civil and criminal sanctions.
SOX 302 requires the CEO and CFO to acknowledge responsibility for internal controls over external financial disclosures, assess the effectiveness of those controls, and report their conclusions in each quarterly filing with the SEC.
In essence, starting in 2004, external auditors will become the graders of management's claims they have designed and maintained internal controls that provide a high level of assurance that financial disclosures can be relied on by regulators and investors.
Early Signs
A December feature in this publication (see box at right)
on disclosing material weaknesses in internal control is a wake-up call for companies that think they'll have little difficulty passing their SOX 404 exam. Klein researched a sample of disclosures related to internal control made in corporate filings in November and December, and it's clear that public accountants are now starting to issue "failing grades" on internal control to corporate America.
Klein cites multiple instances of external auditors, including KPMG, PwC, Grant Thornton, Deloitte, and others issuing failing grade warnings to companies such as Metris Companies, a $1.4 billion sales credit card issuer, drilling contractor Pride International, computer hardware firm California Micro Devices, and securities product manufacturer DHB Industries.
In the case of Metris Companies, for instance, the firm's financial statement from November notes says:
"The Company's outside auditors, KPMG LLP, issued a letter to the company's Audit Committee noting a material weakness involving internal control related to the Company's policies and procedures for valuing its retained interests."
The list of companies confessing to the SEC and the public that their external auditors think their internal controls have "material weaknesses" is significant and continues to grow in December filings with the SEC.
Confessions Under Pressure
What is fascinating about the list is that in many of the cases reported the company does not appear to have voluntarily disclosed the control weakness. This despite these companies having filed control effectiveness representations from their CEO and CFO in quarterly 10-Q filings with the SEC since SOX was passed last July.
These SEC filers appear, in many instances, to have been pressured by their external auditors to disclose the control weakness(es). Some of the disclosures imply management didn't really agree with the external auditor's assessment of the state of their controls. In many cases the "material weaknesses" identified had likely existed for some time, and may also been known by the external auditors for some time. These financial statement note disclosures provide clear evidence that the rules of the corporate reporting game are changing and changing fast.
Pass Grade Hard To Achieve
An excellent White Paper titled Key Elements of Antifraud Programs and Controls issued by PwC in November (again, see box above, right) provides one of the first clear signs of how hard the SOX 404 test is likely to be. Public accountants are under tremendous pressure from the PCAOB and their own professional institute, the American Institute of Certified Public Accountants, to improve their track record in giving opinions on financial statements. Being a slack SOX 404 grader will have severe, perhaps life threatening, consequences for public accountants trying to avoid becoming the next Arthur Andersen.
The SOX 404 exam will be tough, the PwC paper makes clear. The key question most students want answered by their "professors," and what companies should want to know as soon as possible, is this: just how tough will the exam be?
Grounds For A Fail
The PwC paper gives companies fair warning. PwC, for instance, will regard a company's failure to have a documented and effective code of conduct as, "at a minimum, a significant deficiency and a strong indicator of material weakness."
A lack of an effective ethics hotline or whistleblower program would be seen as a strong indicator of a significant deficiency in internal control over financial reporting, PwC says.
"PARAGRAPH 126"
According to the PCAOB's internal control standard, each of the following circumstances should be regarded as at least a significant deficiency and is a "strong indicator that a material weakness in internal control over financial reporting exists:"
Restatement of previously issued financial statements to reflect the correction of
a misstatement.
Identification by the auditor of a material misstatement in financial statements in
the current period that was not initially identified by the company's internal control
over financial reporting. (This is still a strong indicator of a material weakness
even if management subsequently corrects the misstatement.)
Oversight of the company's external financial reporting and internal control over
financial reporting by the company's audit committee is ineffective. (Paragraphs
56 through 59 present factors to evaluate when determining whether the audit
committee is ineffective.)
For larger, more complex entities, the internal audit function or the risk
assessment function is ineffective.
For complex entities in highly regulated industries, an ineffective regulatory
compliance function.
Identification of fraud of any magnitude on the part of senior management.
Significant deficiencies that have been communicated to management and the
audit committee remain uncorrected after some reasonable period of time.
The failure of a firm to perform tough checks on the background of people holding sensitive jobs would also be a strong sign of significant weakness in internal control over financial reporting. A passive attitude toward fraud and anti-fraud programmes will also be seen as a major deficiency, PwC says.
A firm's failure to disclose significant deficiencies or fraud to the external auditor or its audit committee, or to take appropriate action with regard to significant deficiencies, material weaknesses, actual fraud or suspected fraud is a significant deficiency and a strong indicator of a material weakness as indicated in paragraph 126 of the PCAOB proposed auditing standard (See box at left).
PwC's list is a long one. It implies that a failure on one part of the test may well be grounds for a failing grade on the whole effort. And the criteria the firm sets for a pass on corporate governance controls are rigorous.
How Many Can Pass?
As a forensic accountant and global risk and control trainer and consultant with 25 years' experience, my conclusion is that only a small percentage of companies in the world will get a passing grade — if, and it is a big if, the criteria set out by PwC are strictly applied on all audits of U.S. listed companies.
As you likely know, external audit partners will begin issuing written grades on listed companies with fiscal years ending after June 15, 2004. Whether Ernst & Young, KPMG, Deloitte, Grant Thornton, BDO and other auditors will issue similar warnings on the grading criteria they intend to use in the SOX 404 final exams remains to be seen. At least one senior KPMG audit partner has said that she generally agrees with the pass/fail criteria for antifraud programs outlined by PwC.
Remedial Help Needed Fast
The control effectiveness reporting grades already being issued to companies by their external auditors illustrated in SEC filings may be the start of trickle that could soon turn to a flood of failing grades as external auditors turn up the heat.
Companies that are not currently achieving a true pass grade using the type of effective control standards illustrated PwC's paper, but which are nevertheless issuing "clean" control effectiveness opinions each quarter, need to seek remedial help as soon as possible or risk being called to task by their external auditors and regulators.
That's not something any company wants in the current climate.
This column solely reflects the views of its author, and should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented. The column was written originally for publication in the January issue of Global Risk Regulator.
No comments yet