Print


Toward Improved Internal Controls
Early Remediation Actions Disclosed

By Neil L. Fargher and Audrey A. Gramling

JUNE 2005 - Companies that successfully implement the Sarbanes-Oxley Act of 2002 (SOA) will likely identify weaknesses in internal controls over financial reporting and remediate those weaknesses with enhanced internal controls. Disclosure of the remediation actions provides evidence to shareholders and the financial community that companies are appropriately addressing identified weaknesses. Such disclosure is consistent with SOA’s mandate for increased transparency to the marketplace. A review of recent SEC filings provides insight into the remediation actions being taken in response to identified weaknesses in internal control.

Background

SOA sections 302 and 404 emphasize the importance of internal control for a company and mandate disclosures related to internal control effectiveness and changes in internal control. Section 302 requires a company’s signing officers to acknowledge responsibility for establishing and maintaining controls, to evaluate their effectiveness, and to present a conclusion. Furthermore, companies are required to disclose significant changes in their internal controls over financial reporting, including remediation actions. Section 404 requires management to document and evaluate the design and operation of its internal controls over financial reporting, provide an annual report on their effectiveness, and have its external auditor attest to this assertion.

Disclosures regarding internal control remediation actions can be made in quarterly filings, annual filings, or an 8-K filing when reporting on unscheduled material events or corporate changes. The 8-K filings that disclose internal control remediation actions typically include disclosures about events such as a change in auditor or a restatement of financial statements.

A review of recent 10-Q, 10-K, and 8-K filings with the SEC reveals that 123 companies disclosed actions taken to correct identified deficiencies in internal controls during August and September 2004. The initial list of companies reporting internal control deficiencies was identified from Compliance Week (www.complianceweek.com). Most remediation efforts were documented in regulatory filings for the second quarter, for December fiscal year-end companies.

Deficiencies that were the subject of remediation actions were described as “material weaknesses” in internal controls 60% of the time; deficiencies of an apparently less serious nature accounted for the remaining 40% of deficiencies. In June 2004, the Public Company Accounting Oversight Board (PCAOB) issued Auditing Standard 2, An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements (see “Implementing PCAOB Auditing Standard 2 on Audits of Internal Control,” by Jack W. Paul, The CPA Journal, May 2005). This standard includes a definition of material weaknesses in internal control over financial reporting: “a significant deficiency, or a combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected.”

Weaknesses in Internal Control

Weaknesses in internal control can relate to weakness in the design or the operation of internal controls. The remediation disclosures did not always distinguish between the implementation of additional controls needed to remedy design deficiencies, and actions taken to improve operating deficiencies. Most companies’ remediation actions, however, focused on improving operating deficiencies rather than design deficiencies. The most common types of deficiencies for which remediation actions were being taken included inadequate staffing; inadequate segregation of duties; and problems with the financial closing process, account reconciliations, and application of accounting principles. Consistent with identified deficiencies being linked to significant controls over important financial reporting areas, the areas of financial reporting mentioned most often include revenue recognition, accounting for contracts, accounting for complex financial transactions, cut-off, and taxation issues.

Remediation Actions

The level of detail provided by the company about the remediation actions taken in response to these weaknesses varied greatly. Disclosures ranged from a generic statement to detailed lists of specific actions. Approximately 35% of the remediation disclosures could be described as providing a somewhat detailed list of remedial actions taken, while the remaining companies provided relatively vague assurances of efforts to improve controls.

A November 3, 2004, Wall Street Journal article highlighted Catalina Marketing as an example of a company that “had got the message” regarding disclosure of remediation efforts. Catalina Marketing’s 10-Q filing includes four areas where control deficiencies had been identified:

  • The structure and design of certain financial information reporting processes;
  • Inadequate or ineffective policies for documenting transactions;
  • The design of policies and execution of processes related to accounting for transactions; and
  • The internal control environment.

Catalina Marketing’s disclosure then listed 13 specific improvements it made to its internal controls. The Exhibit presents an excerpt from Catalina Marketing’s disclosure regarding its remediation actions.

Specifics on remediation actions. A review of the remediation disclosures suggests that remediation actions can typically be categorized in one of five areas.

Policies and procedures. Many remediation disclosures refer to implementing improved policies and procedures. Such changes included improved documentation (25%); improvements in various processes, including lines of authority, authorizations, and segregation of duties (28%); and upgrades of information systems (22%).

Personnel. Most of the 123 remediation disclosures referred to personnel changes. The most common method for reassuring investors was the appointment, or planned appointment, of new staff (45%), especially at the controller or CFO level (19%). Experienced employees were considered to be better able to understand and meet SEC reporting requirements. Only 11% of the companies referred to the need to employ additional internal audit staff. Few disclosures explicitly referred to the departure of personnel; however, for the most serious cases involving fraud and restatements, further investigation often revealed that the previous CFO left the company.

Training. One of the most frequently cited remediation actions was improved training (25%); however, often little detail was provided regarding the nature or extent of training.

Board procedures. Despite remediation actions prompted by the failure to meet adequate control requirements for significant controls, relatively few disclosures referred to changes at the board level. Only 5% of disclosures mentioned adding financial expertise to the board or audit committee, or to making changes to procedures for reporting to the board or audit committee.

International operations. Eighteen companies’ disclosures mentioned changes in personnel, changes in authority, or increased review with respect to overseas financial reporting operations. Five companies relocated financial operations, centralizing their accounting functions to improve control.

Emerging Issues

Timely completion. SOA section 404, in conjunction with PCAOB Auditing Standard 2, requires that the annual internal control evaluation be made at the date of the issuer’s fiscal year-end. Hence, any remediation efforts taken during the fiscal year would need to be in place for a sufficient period of time to allow for testing by management and the external auditor. The PCAOB emphasizes this point in its “Staff Questions and Answers” (issued June 2004, revised July 2004). The PCAOB staff, in “Question and Answer 6,” notes that if, for example, a company implements a new computer system related to financial reporting, then testing of internal control would need to be performed with respect to that new system, even if the system was implemented close to the year-end.

If remediation of an internal control deficiency is not completed in time to allow for testing to occur as part of the year-end evaluation, then there will be a reported deficiency. Depending on the severity of the deficiency, the issuer may have a material weakness, and hence an adverse opinion on internal control. Audits of internal control differ from audits of financial statements in terms of the ability of management to correct any problems identified by the external auditor. Management can correct misstatements by making the appropriate adjustments to the financial statements. If a material weakness in internal control is found to exist at year-end, however, that weakness can be fixed only as of a future date. Management is expected to remediate such deficiencies in a timely manner and may want to provide the marketplace with assurances of the effectiveness of those remediation actions.

Given the extent of remediation efforts that will likely be in progress after the fiscal year-end, there may be a public demand for auditors to be able to issue an opinion, subsequent to the issuer’s year-end, on the effectiveness of just the internal controls that have been remediated. The demand for such a service will likely be very important where deficiencies in controls at fiscal year-end are subsequently remediated. This issue was raised, but not resolved, at the PCAOB Standing Advisory Group meeting in November 2004. The PCAOB issued an exposure draft for an auditing standard on reporting on the elimination of material internal control weakness in March 2005.

Documentation. Current disclosures about remediation actions indicate that many companies have identified problems related to the documentation of internal controls. SOA section 404 requires public companies to document the design and operations of their internal controls. With a quarter of companies acknowledging the need to improve internal control documentation, remediation of deficiencies related to documentation is likely to result in an ongoing demand for experienced accounting staff, internal auditors, and external consultants. Even companies with effective internal control operations must ensure that internal control documentation is accurate and complete.

Another disclaimer. Disclosures often come with disclaimers, and disclosures of changes in internal controls are no different. Many companies have provided a disclaimer that a control system, no matter how well designed and operated, cannot provide absolute assurance that the objectives of the control system are met, and that no evaluation of controls can provide absolute assurance that all control deficiencies have been detected. While this may be true and important to acknowledge, such a statement is probably more persuasive coming after a detailed list of remediation efforts than after a vague promise that deficiencies will be rectified.

An Open Question

SOA represents an opportunity to restore investor confidence. Some companies have previously operated with less than satisfactory internal controls. Implementing SOA sections 302 and 404 can provide benefits through the identification of control deficiencies and, more important, through the improvement of internal controls, can result in improved corporate governance. The level of emphasis that will be placed on implementing an adequate strategy for ensuring a culture of high-quality financial reporting, starting at the top of the organization, remains an open, and important, question.


Neil L. Fargher, PhD, is a professor at Macquarie University and visiting associate professor at the department of accountancy, University of Illinois, Champaign, Ill.
Audrey A. Gramling, PhD, CIA, CPA
, is currently serving as an academic fellow in the Office of the Chief Accountant of the SEC and is an assistant professor in the School of Accountancy of the J. Mack Robinson College of Business, Georgia State University, Atlanta, Ga.

Disclaimer: As a matter of policy, the Securities and Exchange Commission disclaims responsibility for any private publication or statement of any SEC employee or commissioner. This publication expresses the authors’ views and does not necessarily reflect those of the Commission, the commissioners, or other members of the staff.

Close