Toward
Improved Internal Controls
Early Remediation Actions Disclosed
By
Neil L. Fargher and Audrey A. Gramling
JUNE 2005
- Companies that successfully implement the Sarbanes-Oxley
Act of 2002 (SOA) will likely identify weaknesses in internal
controls over financial reporting and remediate those weaknesses
with enhanced internal controls. Disclosure of the remediation
actions provides evidence to shareholders and the financial
community that companies are appropriately addressing identified
weaknesses. Such disclosure is consistent with SOA’s
mandate for increased transparency to the marketplace. A review
of recent SEC filings provides insight into the remediation
actions being taken in response to identified weaknesses in
internal control. Background
SOA
sections 302 and 404 emphasize the importance of internal
control for a company and mandate disclosures related to
internal control effectiveness and changes in internal control.
Section 302 requires a company’s signing officers
to acknowledge responsibility for establishing and maintaining
controls, to evaluate their effectiveness, and to present
a conclusion. Furthermore, companies are required to disclose
significant changes in their internal controls over financial
reporting, including remediation actions. Section 404 requires
management to document and evaluate the design and operation
of its internal controls over financial reporting, provide
an annual report on their effectiveness, and have its external
auditor attest to this assertion.
Disclosures
regarding internal control remediation actions can be made
in quarterly filings, annual filings, or an 8-K filing when
reporting on unscheduled material events or corporate changes.
The 8-K filings that disclose internal control remediation
actions typically include disclosures about events such
as a change in auditor or a restatement of financial statements.
A review
of recent 10-Q, 10-K, and 8-K filings with the SEC reveals
that 123 companies disclosed actions taken to correct identified
deficiencies in internal controls during August and September
2004. The initial list of companies reporting internal control
deficiencies was identified from Compliance Week (www.complianceweek.com).
Most remediation efforts were documented in regulatory filings
for the second quarter, for December fiscal year-end companies.
Deficiencies
that were the subject of remediation actions were described
as “material weaknesses” in internal controls
60% of the time; deficiencies of an apparently less serious
nature accounted for the remaining 40% of deficiencies.
In June 2004, the Public Company Accounting Oversight Board
(PCAOB) issued Auditing Standard 2, An Audit of Internal
Control over Financial Reporting Performed in Conjunction
with an Audit of Financial Statements (see “Implementing
PCAOB Auditing Standard 2 on Audits of Internal Control,”
by Jack W. Paul, The CPA Journal, May 2005). This
standard includes a definition of material weaknesses in
internal control over financial reporting: “a significant
deficiency, or a combination of significant deficiencies,
that results in more than a remote likelihood that a material
misstatement of the annual or interim financial statements
will not be prevented or detected.”
Weaknesses
in Internal Control
Weaknesses
in internal control can relate to weakness in the design
or the operation of internal controls. The remediation disclosures
did not always distinguish between the implementation of
additional controls needed to remedy design deficiencies,
and actions taken to improve operating deficiencies. Most
companies’ remediation actions, however, focused on
improving operating deficiencies rather than design deficiencies.
The most common types of deficiencies for which remediation
actions were being taken included inadequate staffing; inadequate
segregation of duties; and problems with the financial closing
process, account reconciliations, and application of accounting
principles. Consistent with identified deficiencies being
linked to significant controls over important financial
reporting areas, the areas of financial reporting mentioned
most often include revenue recognition, accounting for contracts,
accounting for complex financial transactions, cut-off,
and taxation issues.
Remediation
Actions
The
level of detail provided by the company about the remediation
actions taken in response to these weaknesses varied greatly.
Disclosures ranged from a generic statement to detailed
lists of specific actions. Approximately 35% of the remediation
disclosures could be described as providing a somewhat detailed
list of remedial actions taken, while the remaining companies
provided relatively vague assurances of efforts to improve
controls.
A November
3, 2004, Wall Street Journal article highlighted
Catalina Marketing as an example of a company that “had
got the message” regarding disclosure of remediation
efforts. Catalina Marketing’s 10-Q filing includes
four areas where control deficiencies had been identified:
-
The structure and design of certain financial information
reporting processes;
-
Inadequate or ineffective policies for documenting transactions;
-
The design of policies and execution of processes related
to accounting for transactions; and
-
The internal control environment.
Catalina
Marketing’s disclosure then listed 13 specific improvements
it made to its internal controls. The Exhibit
presents an excerpt from Catalina Marketing’s disclosure
regarding its remediation actions.
Specifics
on remediation actions. A review of the remediation
disclosures suggests that remediation actions can typically
be categorized in one of five areas.
Policies
and procedures. Many remediation disclosures refer
to implementing improved policies and procedures. Such changes
included improved documentation (25%); improvements in various
processes, including lines of authority, authorizations,
and segregation of duties (28%); and upgrades of information
systems (22%).
Personnel.
Most of the 123 remediation disclosures referred to personnel
changes. The most common method for reassuring investors
was the appointment, or planned appointment, of new staff
(45%), especially at the controller or CFO level (19%).
Experienced employees were considered to be better able
to understand and meet SEC reporting requirements. Only
11% of the companies referred to the need to employ additional
internal audit staff. Few disclosures explicitly referred
to the departure of personnel; however, for the most serious
cases involving fraud and restatements, further investigation
often revealed that the previous CFO left the company.
Training.
One of the most frequently cited remediation actions was
improved training (25%); however, often little detail was
provided regarding the nature or extent of training.
Board
procedures. Despite remediation actions prompted by
the failure to meet adequate control requirements for significant
controls, relatively few disclosures referred to changes
at the board level. Only 5% of disclosures mentioned adding
financial expertise to the board or audit committee, or
to making changes to procedures for reporting to the board
or audit committee.
International
operations. Eighteen companies’ disclosures mentioned
changes in personnel, changes in authority, or increased
review with respect to overseas financial reporting operations.
Five companies relocated financial operations, centralizing
their accounting functions to improve control.
Emerging
Issues
Timely
completion. SOA section 404, in conjunction
with PCAOB Auditing Standard 2, requires that the annual
internal control evaluation be made at the date of the issuer’s
fiscal year-end. Hence, any remediation efforts taken during
the fiscal year would need to be in place for a sufficient
period of time to allow for testing by management and the
external auditor. The PCAOB emphasizes this point in its
“Staff Questions and Answers” (issued June 2004,
revised July 2004). The PCAOB staff, in “Question
and Answer 6,” notes that if, for example, a company
implements a new computer system related to financial reporting,
then testing of internal control would need to be performed
with respect to that new system, even if the system was
implemented close to the year-end.
If
remediation of an internal control deficiency is not completed
in time to allow for testing to occur as part of the year-end
evaluation, then there will be a reported deficiency. Depending
on the severity of the deficiency, the issuer may have a
material weakness, and hence an adverse opinion on internal
control. Audits of internal control differ from audits of
financial statements in terms of the ability of management
to correct any problems identified by the external auditor.
Management can correct misstatements by making the appropriate
adjustments to the financial statements. If a material weakness
in internal control is found to exist at year-end, however,
that weakness can be fixed only as of a future date. Management
is expected to remediate such deficiencies in a timely manner
and may want to provide the marketplace with assurances
of the effectiveness of those remediation actions.
Given
the extent of remediation efforts that will likely be in
progress after the fiscal year-end, there may be a public
demand for auditors to be able to issue an opinion, subsequent
to the issuer’s year-end, on the effectiveness of
just the internal controls that have been remediated. The
demand for such a service will likely be very important
where deficiencies in controls at fiscal year-end are subsequently
remediated. This
issue was raised, but not resolved, at the PCAOB Standing
Advisory Group meeting in November 2004. The PCAOB issued
an exposure draft for an auditing standard on reporting
on the elimination of material internal control weakness
in March 2005.
Documentation.
Current disclosures about remediation actions
indicate that many companies have identified problems related
to the documentation of internal controls. SOA section 404
requires public companies to document the design and operations
of their internal controls. With a quarter of companies
acknowledging the need to improve internal control documentation,
remediation of deficiencies related to documentation is
likely to result in an ongoing demand for experienced accounting
staff, internal auditors, and external consultants. Even
companies with effective internal control operations must
ensure that internal control documentation is accurate and
complete.
Another
disclaimer. Disclosures often come with disclaimers,
and disclosures of changes in internal controls are no different.
Many companies have provided a disclaimer that a control
system, no matter how well designed and operated, cannot
provide absolute assurance that the objectives of the control
system are met, and that no evaluation of controls can provide
absolute assurance that all control deficiencies have been
detected. While this may be true and important to acknowledge,
such a statement is probably more persuasive coming after
a detailed list of remediation efforts than after a vague
promise that deficiencies will be rectified.
An
Open Question
SOA
represents an opportunity to restore investor confidence.
Some companies have previously operated with less than satisfactory
internal controls. Implementing SOA sections 302 and 404
can provide benefits through the identification of control
deficiencies and, more important, through the improvement
of internal controls, can result in improved corporate governance.
The level of emphasis that will be placed on implementing
an adequate strategy for ensuring a culture of high-quality
financial reporting, starting at the top of the organization,
remains an open, and important, question.
Neil
L. Fargher, PhD, is a professor at Macquarie University
and visiting associate professor at the department of accountancy,
University of Illinois, Champaign, Ill.
Audrey A. Gramling, PhD, CIA, CPA, is currently serving
as an academic fellow in the Office of the Chief Accountant
of the SEC and is an assistant professor in the School of
Accountancy of the J. Mack Robinson College of Business, Georgia
State University, Atlanta, Ga.
Disclaimer:
As a matter of policy, the Securities and Exchange Commission
disclaims responsibility for any private publication or
statement of any SEC employee or commissioner. This publication
expresses the authors’ views and does not necessarily
reflect those of the Commission, the commissioners, or other
members of the staff. |