Sarbanes-Oxley 404 – The Facts

A lot has been written about the cost of Sarbanes – Oxley and the level of effort some companies have had to expend to attempt to comply. But you haven’t heard much from the many companies, in some of the most unexpected places, that quietly moved forward, added this requirement to their existing internal audit, risk management and compliance framework and took success for granted. The companies that have complained and have spent the most have often been companies that were poorly managed, had underlying ethics and fraud issues, and/or had outsourced or significantly reduced staff in essential functions like accounting, internal audit, IT and human resources. Having a competent and complete accounting and finance function is a cost of doing business for a public company. How anyone thought they could do without is beyond my ken…

An interesting study was published recently in the Journal of Accountancy by Kathryn E. Scarborough of the SEC and Mark H. Taylor, a Professor at Creighton University.

Some of the more important findings:

1) The number of companies reporting material weaknesses in their internal controls over financial reporting (ICFR) went from 15.7% the first year to 10.3% the second year. The nature of material weaknesses, the most common of which was GAAP misapplication or failure, remained the same.

2)Smaller companies reported disproportionately higher numbers of ICFR deficiencies in both years, which were also reflected in a disproportionately higher number of ICFR deficiencies among clients of audit firms that primarily audited smaller companies, such as Grant Thornton and BDO Seidman.

3)Issuers in the retail and service sectors were most likely to have ineffective ICFR while construction and finance, insurance and real estate were the least likely to report material weaknesses in ICFR.

4)Research shows that companies that have implemented section 404 are less likely to restate results. Restatements among companies that implemented section 404 declined 14% in 2006 while restatements by companies not yet required to comply with section 404 (non-accelerated filers) rose 40%.

The five most common internal control issues leading to material weaknesses reported in year two and year one were identical.

1)Accounting rule (GAAP / FASB) application failures
2)Accounting documentation, policy and/or procedures
3)Material and/or numerous auditor / YE adjustments
4)Accounting personnel resources, competency / training
5)Restatement or nonreliance of company filings

Information technology, software, security and access issues came in at #6. I think you will see these issues become more prominent, as we saw yesterday in the Boeing story. Many companies got a pass from their auditors during the first two rounds on IT General Controls issues. Only the most egregious violators were dinged with a material weakness for IT related control weaknesses. This is because neither the companies (and their supporting service providers) nor the external auditors had enough competent staff to evaluate IT General Controls during the first two years.

General passes, such as the ones given for large ERP and infrastructure vendors, allowed whole topics to be deemed “out of scope.” (For example, the Big 4 audit firms informally agreed amongst themselves that it could be assumed that code from large vendors like Oracle/PeopleSoft/SAP and CISCO/Microsoft/Sun is delivered from the vendors bug-free and, therefore, companies didn’t need change management, release management and testing approaches, including separate testing environments to manage updates and patches.)

I expect you will see IT related control weaknesses moving to the top of the list as auditors and companies have a chance to dig deeper into the company’s control structure now that the basic internal controls over financial reporting on the functional side have been beaten to death and, hopefully, conquered.

Another area that was informally agreed off limits during the first two years was disaster recovery and contingency planning. Given global experiences with terrorism, natural disasters and other external threats, can any company without a reasonable and executable disaster recovery plan and contingency planning process be deemed “controlled”?

Additional items from the Journal of Accountancy report:
Specific GAAP Application Failures Identified by Issuers With Ineffective ICFR

1)Tax expense / benefit / deferral / other (FAS 109) issues
2)(Revenue recognition issues
3)Liabilities, payables, reserves & accrual estimate failures
4)Inventory, vendor & cost of sales issues
5)Accounts / loans receivable, investments & cash issues
6)PPE / Fixed / Intangible assets (FAS 142) value / diminution issues
7)Foreign / related / affiliated / reliance / subsidiary party issues
8)Deferred, stock-based or executive compensation issues
9)Acquisition, merger, disposal or reorganization issues
10)Lease, FAS 5, legal, contingency & commitment issues
11)Financial derivatives / hedging (FAS 133) issues