Section 404 compliance: telling it like it is; It's 'showtime' for reporting on internal controls, and Financial Executives Research Foundation (FERF) asked some in corporate America, 'How's it going?' Here are a few tales from the trenches.Investors will soon hear and read a lot about internal control. Beginning with this year's annual reports, companies will, for the first time, be reporting on the effectiveness of their internal control over financial reporting--as required by Section 404 of the Sarbanes-Oxley Act See SOX. of 2002. Not all of the news will be good, because some companies will have to disclose control deficiencies that have not yet been remediated as of fiscal year end. [ILLUSTRATION OMITTED] Companies have long been plagued by control deficiencies and weaknesses in their systems of internal control. The Public Company Accounting Oversight Board The Public Company Accounting Oversight Board (or PCAOB) (sometimes called "Peekaboo") is a private-sector, non-profit corporation created by the Sarbanes-Oxley Act, a 2002 United States federal law, to oversee the auditors of public companies. (PCAOB PCAOB Public Company Accounting Oversight Board ) has now defined three different magnitudes of control deficiencies, and has even provided examples. To the extent that control deficiencies are identified, both management and the external auditors The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. are required to determine if they are significant deficiencies or material weaknesses (see sidebar (1) A Windows Vista desktop panel that holds mini applications (gadgets) such as a calendar, calculator, stock ticker and Vonage phone dialer. It is the Windows counterpart to the Dashboard in the Mac. See Windows Vista and gadget. ). Only material weaknesses are required to be publicly reported. For over a year now, companies have been documenting their business and financial reporting processes and how those processes are controlled, and then testing those controls. The Dow Chemical Co. got started early. "We started back in March of 2003," says Ron Edmonds, global accounting director for Dow. "We put together a Sarbanes-Oxley Section 404 Implementation Team, drawn from finance, information systems, manufacturing, human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. , legal and the business units, to first decide what had to be done and then implement the needed actions." Dow decided to install Deloitte's Risk Control Tracking System to store and keep track of all the process documentation, process flow charts and control self-assessments. By mid-2003, Dow had documented most of its processes and was able to start testing the related controls. Early Start Helpful "We found some gaps in existing documentation and some control deficiencies, but, because we got started early, we were able to remediate re·me·di·a·tion n. The act or process of correcting a fault or deficiency: remediation of a learning disability. re·me the deficiencies and retest re·test tr.v. re·test·ed, re·test·ing, re·tests To test again. n. A second or repeated test. the controls," Edmonds recounts. He estimates that, all told, Dow employees spent over 100,000 hours documenting, testing, remeditating and retesting. And, while Edmonds did not attach an internal cost to the hours, if the average professional is paid $100,000 per year in salary and benefits, this total cost could approach $5 million--not including the additional costs of soft-ware and outside consultants. Dow's Implementation Team kept its audit committee well informed of its activities and progress. "We put together written presentations for each meeting of the audit committee starting in mid-2003, and the audit committee meets about six times per year," says Edmonds. "We were upfront with any issues and deficiencies that we uncovered, and explained exactly how they would be remediated." The Implementation Team also developed special educational programs for the top 200 leaders at Dow, and has had multiple meetings with the Office of the Chief Executive. [ILLUSTRATION OMITTED] Edmonds says that Dow has not yet decided how it will report on its system of internal controls in its 10-K. "Once we get through the process of assessing internal controls, we'll figure out how to explain it in the 10-K. We suspect that most companies will use similar language to report on their internal controls, but we don't yet know what that language will be. However, we do not expect to have to report any control deficiencies or weaknesses at Dow." General Motors Corp. will also not have to report any deficiencies. "We have not yet found any reportable control deficiencies at GM," says Chief Accounting Officer Peter R. Bible. While Deloitte, GM's external auditor, was still testing some of GM's internal controls, Bible expects that Deloitte will issue an unqualified opinion Unqualified opinion An independent auditor's opinion that a company's financial statements comply with accepted accounting procedures. Antithesis of qualified opinion. unqualified opinion See clean opinion. . "We will make a statement about our internal controls in our 10-K, probably in Management's Responsibility for Financial Statements, but we don't expect to have to announce any bad news," he says. Bible says that GM will file its 10-K on March 15, as permitted by the SEC's recent rule that will maintain the current filing deadline within 75 days of fiscal year-end Fiscal Year-End The completion of a one-year, or 12-month, accounting period. Notes: The reason that a company's fiscal year often differs from the calendar year and does not close on Dec 31, is due to the nature of company's needs. . "We were certainly glad that the SEC announced this ruling. This will give our audit committee more time to review the 10-K." Before the SEC made this announcement on November 17, a company with a fiscal year-end of December 31 would have had to file its 10-K on March 1 (within 60 days of its fiscal year-end), as part of a three-year phase-in accelerating companies' deadlines for SEC filings. "If we had to file the 10-K by March 1, we would have had to change the date of the audit committee meeting, which would have required other changes in our 10-K review timeline." On the filing timetable, Bible says: "There may be a lot of companies that will have to announce unremediated material weaknesses, and I think that they will need this additional time to plan their announcements." Bible does concede con·cede v. con·ced·ed, con·ced·ing, con·cedes v.tr. 1. To acknowledge, often reluctantly, as being true, just, or proper; admit. See Synonyms at acknowledge. 2. that some surprises surfaced during GM's documentation and testing of internal controls, such as the quality of internal controls at service providers. "There is some question as to whether SAS (1) (SAS Institute Inc., Cary, NC, www.sas.com) A software company that specializes in data warehousing and decision support software based on the SAS System. Founded in 1976, SAS is one of the world's largest privately held software companies. See SAS System. 70 (Statement on Auditing Standard 70, Reports on the Processing of Transactions by Service Organizations) is adequate for the requirements of AS2 [Auditing Standard No. 2] as issued by the PCAOB, and this might by an issue for some companies." Dow's Edmonds also discussed the SAS 70 issue. "We had one large service provider that decided it did not need to provide us with an SAS 70 report. We told them that if they did not give us an SAS 70, we would need to send in a team of our internal auditors Internal auditor An employee of a company who analyzes the company's accounting records to that the company is following and complying with all regulations. , and Deloitte, our external auditor, would send in another team, and we expected that a lot of other clients would do the same. Needless to say, the provider decided to send an SAS 70 report to all of their clients." [ILLUSTRATION OMITTED] But the SAS 70 issue is not so easy to resolve, notes Edmonds, who says another service provider also sent Dow an SAS 70 report for 2003 last July, saying that "we would not get the SAS 70 for 2004 until mid-2005. Dow's position is that the SAS 70 needs to cover at least six months of the current year activity under audit or we can not rely on it." Edmonds recommends that companies ask their service providers for an SAS 70 that covers July to June at a minimum, and get it in the third quarter. Assuming the service provider has no changes in its internal control structure subsequently, it can then be used for the current year. [ILLUSTRATION OMITTED] For more on how 20 large companies have implemented Section 404, and how they plan to comply in the future, see the FERF FERF Financial Executives Research Foundation FERF Far End Reporting Failure FERF Far End Receive Failure Executive Report, Sarbanes-Oxley Section 404 Implementation: Status on Structure, Process and Sustainability. The report can be ordered online at www.fei.org/rfbookstore. Credit Rating Impact Unclear A key issue to both companies and investors is how the reports on internal control will affect a company's credit rating. In October, Moody's Investors Service Moody's Investors Service A leading global credit rating, research and risk analysis firm. Moody's Investors Service A leading firm engaged in credit rating, risk analysis, and research of fixed-income securities and their issuers. issued a Special Comment, "Section 404 Reports on Internal Control: Impact on Ratings Will Depend on Nature of Material Weaknesses Reported." (The document is available on FEI's Web site.) This special comment describes what the new rules require, what the new reports will say and how Moody's expects to react to the new reports. "We are less concerned about material weaknesses that relate to controls over specific account balances or transactions," says Gregory Jonas, managing director at Moody's. "If management takes corrective actions A corrective action is a change implemented to address a weakness identified in a management system. Normally corrective actions are instigated in response to a customer complaint, abnormal levels if internal nonconformity, nonconformities identified during an internal audit or in a timely manner, rating actions are unlikely." "However, if a company reports material weaknesses that relate to company-level controls, such as the control environment or financial reporting process, we will bring the company to rating committee to determine whether a rating action is necessary," says Jonas. He explains: "These types of weaknesses concern us because it's harder for auditors to audit around a pervasive control problem. In these cases, investors just don't know Don't know (DK, DKed) "Don't know the trade." A Street expression used whenever one party lacks knowledge of a trade or receives conflicting instructions from the other party. how much they can trust reported financial data, particularly when that data is not audited." Jonas realizes that companies have done a lot of work over the past year, at considerable expense, and he is very positive about the whole process. "We believe that internal control reports are a good thing, because we expect they will help restore investor confidence and improve the quality of financial reporting. If so, the benefits to investors will be considerable." Will there be comparable benefits to companies? Section 404 compliance will provide companies with opportunities to first standardize stan·dard·ize v. 1. To cause to conform to a standard. 2. To evaluate by comparing with a standard. their business processes, and then improve upon those processes. If employees at the business unit level are willing to take ownership of these processes, a new corporate culture based on good controls will emerge. And if process inefficiencies are identified and resolved, increased productivity will likely result. Today, some question the enormous costs of Section 404 compliance. The full value of the efforts will only become apparent over time. RELATED ARTICLE: Is It a Significant Deficiency or a Material Weakness? Three degrees of control deficiencies--in order of magnitude--have been formally defined in Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements, (AS2) released by the Public Company Accounting Oversight Board (PCAOB) on Mar. 9, 2004: 1 A control deficiency exists when the design of operation of a control does not allow management or employees, in the normal course of performing their assigned as·sign tr.v. as·signed, as·sign·ing, as·signs 1. To set apart for a particular purpose; designate: assigned a day for the inspection. 2. functions, to prevent or detect misstatements on a timely basis. (Paragraph 8) 2 A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the company's ability to initiate, authorize To empower another with the legal right to perform an action. The Constitution authorizes Congress to regulate interstate commerce. authorize v. to officially empower someone to act. (See: authority) , record, process, or report external financial data reliably in accordance Accordance is Bible Study Software for Macintosh developed by OakTree Software, Inc.[] As well as a standalone program, it is the base software packaged by Zondervan in their Bible Study suites for Macintosh. with generally accepted accounting principles The standard accounting rules, regulations, and procedures used by companies in maintaining their financial records. Generally accepted accounting principles (GAAP) provide companies and accountants with a consistent set of guidelines that cover both broad accounting such that there is a more than a remote likelihood that a misstatement mis·state tr.v. mis·stat·ed, mis·stat·ing, mis·states To state wrongly or falsely. mis·state  ment n. of the company's annual or interim financial statements that is more than inconsequential in·con·se·quen·tial adj. 1. Lacking importance. 2. Not following from premises or evidence; illogical. n. A triviality. will not be prevented or detected. (Paragraph 9) 3 A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected. (Paragraph 10) Note: Auditing Standard No. 2 provides examples of the different orders of magnitude of control deficiencies in its Appendix D. For example, not reconciling intercompany accounts is a control deficiency. Not having a formal process in place to ensure reconciliation would be considered a significant deficiency. If there are a significant number of material intercompany transactions Intercompany transaction Transaction carried out between two units of the same corporation. , lack of a formal process would constitute a material weakness. RELATED ARTICLE: What Has to be Reported to be spoken of; to be mentioned, whether favorably or unfavorably. See also: Report ? Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports (Final Rule 33-8238, which became effective Aug. 14, 2003) was released by the U.S. Securities and Exchange Commission (SEC) in response to Section 404, which directed the SEC to prescribe pre·scribe v. To give directions, either orally or in writing, for the preparation and administration of a remedy to be used in the treatment of a disease. rules requiring annual reports to: * State management's responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and * Contain an assessment, as of the end of the company's most recent fiscal year, of the effectiveness of the company's internal control structure and procedures for financial reporting. William M. Sinnett (bsinnett@fei.org) is Manager of Research for Financial Executives Research Foundation (FERF). |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion