Internal Control Reports: The Next New Thing

Many public companies have already begun to prepare for compliance with Section 404 of the Sarbanes-Oxley Act of 2002 (the Act). Management and directors may not be clear on the framework for Section 404. Although Section 404 does not require disclosure in Annual Reports for the calendar year-end 2003, requisite lead times suggest that by now companies must be working diligently on compliance planning.

The Securities and Exchange Commission (SEC) issued final Section 404 rules on June 5, 2003. The rules require each public company's Annual Report to contain an internal control report:

• Stating management's responsibility for establishing and maintaining adequate internal control over financial reporting; and
• Containing an assessment as of the end of the fiscal year of the effectiveness of the company's internal control over financial reporting.

These rules apply to all companies regardless of size. Under the new compliance schedule, a company that is an “accelerated filer” as defined in Exchange Act Rule 12b-2 (generally, a U.S. company that has equity market capitalization over $75 million and has filed at least one annual report with the Commission), must begin to comply with these amendments for its first fiscal year ending on or after Nov. 15, 2004 (originally June 15, 2004). A non-accelerated filer must begin to comply with these requirements for its first fiscal year ending on or after July 15, 2005 (originally April 15, 2005). The Commission similarly has extended the compliance date for related requirements regarding evaluation of internal control over financial reporting and management certification requirements, including certification and related requirements applicable to registered investment companies. Even for non-accelerated filers, prompt action is important, since many will have less well-developed internal controls and thus may need more time to implement improvements.

Management's Report

In each Annual Report, management must include a report concerning the company's internal control over financial reporting, stating that management is responsible for establishing and maintaining adequate internal control over financial reporting; the “framework” used by management to evaluate the company's internal controls; management's assessment of the effectiveness of its internal controls as of fiscal year-end; and that the auditors have issued an attestation report that also is included in the Annual Report. The company's quarterly reports thereafter must include evaluations of any changes during the quarter that are reasonably likely to have materially affected internal controls.

The concept of “framework” may not be familiar. The SEC has stated that the framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) constitutes a satisfactory accounting framework. As a practical matter, we are not aware of any domestic company utilizing any other standard.

Observations

• Standards. Although it seems, de facto, that most United States companies will be utilizing the COSO framework for their own assessment of their internal controls, the standards to be applied by the auditors in opining on the company's assessment are not so clear. The Public Company Accounting Oversight Board (PCAOB) has proposed standards that will likely be finalized, with approval by the SEC, late in the first quarter of 2004. (Under the PCAOB's Final Rule Compliance with Auditing and Related Professional Practice Standards, all registered public accounting firms must adhere to the PCAOB's auditing and related practice standards in connection with the preparation or issuance of any audit report for the issuer. Therefore, the standards for the audit of effectiveness of internal control over financial reporting will be those as promulgated in final form by the PCAOB.)
• Auditors. There is a curious gray area with respect to the accounting firm conducting the general audit. That firm must itself provide an “attestation” in the company's Annual Report covering the adequacy of internal control on financial reporting. To what degree can that auditing firm consult with the company in tightening its accounting procedures in preparing to make the assessment and internal control report under Section 404? Those auditors can be involved on an advisory or consultative basis, but clearly cannot lead the effort. The company must itself take the lead. To support its effort, the company might retain another accounting or consulting firm. An anomaly arises in connection with the practice where the auditing firm assists a company in calculating taxes due on a quarter-by-quarter basis. Of the “big four,” reportedly two have now declined to help in such calculation. The argument is not one of conflict of interest but, rather, a circular twist of logic: If the company has to hire the accounting firm to calculate its taxes, it is proof that the company is incapable of doing so; consequently, the very request for help proves that the company has a “material weakness.” Yet the company could hire a different accounting firm to provide that function, without thereby creating a material weakness.
• The company must lead. The company must take a leading role, under the direction of the Audit Committee, in preparing, testing and tightening internal controls. Out-sourcing to an accounting firm (but not to the audit firm) for advice and manpower in this effort appears to be permissible. If the company does out-source internal control procedures work to another accounting firm, the company in the future might not be able to retain that (out-sourced) accounting firm as an independent auditor, because of its prior engagement to develop or improve internal controls. The company must also maintain adequate documentation of its review and testing of accounting procedures supporting its assessment.

What Can the Company Conclude in Its Report with Respect to Its Internal Controls?

There are three levels of finding:

1. The controls are effective.
2. The controls are effective but there are certain specific deficiencies. These deficiencies may create a situation where there is more than a remote likelihood of inconsequential financial misstatements, but not of “material” misstatements.
3. There are one or more “material weaknesses.” A material weakness means that there is more than a remote likelihood of a material misstatement in the financial statements. In the presence of even a single material weakness, a company may not conclude that its internal controls are “effective.”

Management's assessment must include disclosure of any “material weaknesses” in the company's internal control over financial reporting. Management is not permitted to conclude that the company's internal control over financial reporting is effective if there are one or more material weaknesses identified in the registrant's internal control over financial reporting. In such a case, under the PCAOB's proposed auditing standards, the auditor's opinion on the effectiveness of internal control over financial reporting must likewise be adverse; the proposed standard does not permit an unqualified audit opinion in the event of a material weakness.

Although there is no specific monetary penalty for any particular conclusion, the investing public, brokerage firms, stockholders and management all have a clear and logical interest in remedying any disclosed weaknesses, particularly material weaknesses, both to protect the company and to ensure that its stock is properly priced in the marketplace. Also, although it is possible for an auditor to render an unqualified opinion on the financial statements even in the presence of material weaknesses, the auditor may need to perform additional audit procedures, and, under the PCAOB's proposed standards, would need to specifically disclose, in its report on the financial statements, that the weakness did not affect that audit report. It is not clear what effect a qualified auditor's report on the effectiveness of internal controls would have on the company's SEC filings.

In addition, the chief executive officer and chief financial officer must consider whether a material weakness raises a concern about their certifications required under Sections 302 and 906 of the Act. Finally, companies should be prepared for the potential of comments from the SEC relating to disclosures of weaknesses, particularly material weaknesses.

What Is Expected from the First Tranche of Internal Control Reports?

Some practitioners have speculated that as many as 80% of public companies will report the presence of certain specific deficiencies, nonetheless concluding that, overall, their internal controls are “effective.” This may be particularly true for smaller companies, whose internal controls have never been the basis for the preparation of the year-end examination and report by the auditors. While very large companies may undergo an audit that is, in effect, a review of pre-existing internal controls, that has not been the case for companies in or below the “middle market.”

What Is a Material Weakness?

This is the central examination. Examples of materiality in a weakness include (this is a non-exclusive list): ineffective Audit Committee supervision; restatement of prior financial statements within the period (for example, being required to restate the financial statements for a prior quarter); ineffective internal audit compliance or regulatory compliance; presence of fraud within the company, particularly involving senior management; any uncorrected but previously reported material weakness (if it is on the list the first year and you do not correct it, you do not get a second chance); or a material adjustment by the auditors not picked up by internal controls.

This last item is the subject of some controversy. Seemingly, if a company has closed its books and has failed to pick up a material adjustment that is then discovered by the auditors, this could constitute a “material weakness” even though it is corrected prior to the issuance of a financial statement or the making of any SEC filing. This analysis might induce a company to hire other accountants to assist in closing its books, before anything is shown to the auditors, to avoid a “foot-fault” in a circumstance where (whatever the “weakness”) no actual accounting error actually occurred.

What About Costs?

There is confusion and wide variance in speculation about costs. A recent round-table of Sarbanes-Oxley practitioners suggested that a company with $50 million in annual revenues might expect to spend $750,000 for all initial Act compliance, including compliance with Section 404, with costs increasing as company size increased. Certain factors could substantially affect cost, including the presence or absence of numerous or foreign places of business, the number of transactions involved in the normal flow of a company's business and the size of the enterprise.

Anecdotal information suggests that conversations with the SEC revealed an awareness that the SEC had underestimated the cost of Section 404 compliance (although the SEC remained adamant that the benefits are worth the price). In an event that demonstrates the SEC's sensitivity, it was reported that, in a recent transaction of a public company “going private,” one of the articulated reasons was to save the substantial costs of Act compliance. Reportedly, the company had to carefully negotiate with the SEC the exact language of the disclosure related to the reasons for the going-private decision.

Effect on Private Companies

Although Section 404 does not directly affect private companies, if a private company is anticipating going public it should place itself in a position to comply with Section 404. In addition, a public company acquiring a private company now has a potentially significant problem. Section 404 diligence in acquisitions will become a staple of public company growth. The chief executive officer and chief financial officer of the acquiring public company are required each quarter to certify under Sections 302 and 906 of the Act as to the adequacy of the company's accounting procedures as of the end of the period. Since that certification covers the entire company, officers may have particular concern in closing an acquisition near the end of a quarter, which would result in their certifications covering the internal controls over that acquired company, even if the acquisition target was under those officers' control for only a short period prior to the end of the quarter.

Conclusion

Management reports and auditor attestations soon to appear in Annual Reports will be closely watched by the Bar and the investment community. Will detailed analysis of financial control mechanisms in fact improve the quality of financial reporting? Some of our historical disasters are more the fault of avarice on the part of (a small fraction of ) corporate executives. To the extent that intentional fraud is committed in a systematic manner, the preventive value of improved internal controls remains to be seen.

Many public companies have already begun to prepare for compliance with Section 404 of the Sarbanes-Oxley Act of 2002 (the Act). Management and directors may not be clear on the framework for Section 404. Although Section 404 does not require disclosure in Annual Reports for the calendar year-end 2003, requisite lead times suggest that by now companies must be working diligently on compliance planning.

The Securities and Exchange Commission (SEC) issued final Section 404 rules on June 5, 2003. The rules require each public company's Annual Report to contain an internal control report:

• Stating management's responsibility for establishing and maintaining adequate internal control over financial reporting; and
• Containing an assessment as of the end of the fiscal year of the effectiveness of the company's internal control over financial reporting.

These rules apply to all companies regardless of size. Under the new compliance schedule, a company that is an “accelerated filer” as defined in Exchange Act Rule 12b-2 (generally, a U.S. company that has equity market capitalization over $75 million and has filed at least one annual report with the Commission), must begin to comply with these amendments for its first fiscal year ending on or after Nov. 15, 2004 (originally June 15, 2004). A non-accelerated filer must begin to comply with these requirements for its first fiscal year ending on or after July 15, 2005 (originally April 15, 2005). The Commission similarly has extended the compliance date for related requirements regarding evaluation of internal control over financial reporting and management certification requirements, including certification and related requirements applicable to registered investment companies. Even for non-accelerated filers, prompt action is important, since many will have less well-developed internal controls and thus may need more time to implement improvements.

Management's Report

In each Annual Report, management must include a report concerning the company's internal control over financial reporting, stating that management is responsible for establishing and maintaining adequate internal control over financial reporting; the “framework” used by management to evaluate the company's internal controls; management's assessment of the effectiveness of its internal controls as of fiscal year-end; and that the auditors have issued an attestation report that also is included in the Annual Report. The company's quarterly reports thereafter must include evaluations of any changes during the quarter that are reasonably likely to have materially affected internal controls.

The concept of “framework” may not be familiar. The SEC has stated that the framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) constitutes a satisfactory accounting framework. As a practical matter, we are not aware of any domestic company utilizing any other standard.

Observations

• Standards. Although it seems, de facto, that most United States companies will be utilizing the COSO framework for their own assessment of their internal controls, the standards to be applied by the auditors in opining on the company's assessment are not so clear. The Public Company Accounting Oversight Board (PCAOB) has proposed standards that will likely be finalized, with approval by the SEC, late in the first quarter of 2004. (Under the PCAOB's Final Rule Compliance with Auditing and Related Professional Practice Standards, all registered public accounting firms must adhere to the PCAOB's auditing and related practice standards in connection with the preparation or issuance of any audit report for the issuer. Therefore, the standards for the audit of effectiveness of internal control over financial reporting will be those as promulgated in final form by the PCAOB.)
• Auditors. There is a curious gray area with respect to the accounting firm conducting the general audit. That firm must itself provide an “attestation” in the company's Annual Report covering the adequacy of internal control on financial reporting. To what degree can that auditing firm consult with the company in tightening its accounting procedures in preparing to make the assessment and internal control report under Section 404? Those auditors can be involved on an advisory or consultative basis, but clearly cannot lead the effort. The company must itself take the lead. To support its effort, the company might retain another accounting or consulting firm. An anomaly arises in connection with the practice where the auditing firm assists a company in calculating taxes due on a quarter-by-quarter basis. Of the “big four,” reportedly two have now declined to help in such calculation. The argument is not one of conflict of interest but, rather, a circular twist of logic: If the company has to hire the accounting firm to calculate its taxes, it is proof that the company is incapable of doing so; consequently, the very request for help proves that the company has a “material weakness.” Yet the company could hire a different accounting firm to provide that function, without thereby creating a material weakness.
• The company must lead. The company must take a leading role, under the direction of the Audit Committee, in preparing, testing and tightening internal controls. Out-sourcing to an accounting firm (but not to the audit firm) for advice and manpower in this effort appears to be permissible. If the company does out-source internal control procedures work to another accounting firm, the company in the future might not be able to retain that (out-sourced) accounting firm as an independent auditor, because of its prior engagement to develop or improve internal controls. The company must also maintain adequate documentation of its review and testing of accounting procedures supporting its assessment.

What Can the Company Conclude in Its Report with Respect to Its Internal Controls?

There are three levels of finding:

1. The controls are effective.
2. The controls are effective but there are certain specific deficiencies. These deficiencies may create a situation where there is more than a remote likelihood of inconsequential financial misstatements, but not of “material” misstatements.
3. There are one or more “material weaknesses.” A material weakness means that there is more than a remote likelihood of a material misstatement in the financial statements. In the presence of even a single material weakness, a company may not conclude that its internal controls are “effective.”

Management's assessment must include disclosure of any “material weaknesses” in the company's internal control over financial reporting. Management is not permitted to conclude that the company's internal control over financial reporting is effective if there are one or more material weaknesses identified in the registrant's internal control over financial reporting. In such a case, under the PCAOB's proposed auditing standards, the auditor's opinion on the effectiveness of internal control over financial reporting must likewise be adverse; the proposed standard does not permit an unqualified audit opinion in the event of a material weakness.

Although there is no specific monetary penalty for any particular conclusion, the investing public, brokerage firms, stockholders and management all have a clear and logical interest in remedying any disclosed weaknesses, particularly material weaknesses, both to protect the company and to ensure that its stock is properly priced in the marketplace. Also, although it is possible for an auditor to render an unqualified opinion on the financial statements even in the presence of material weaknesses, the auditor may need to perform additional audit procedures, and, under the PCAOB's proposed standards, would need to specifically disclose, in its report on the financial statements, that the weakness did not affect that audit report. It is not clear what effect a qualified auditor's report on the effectiveness of internal controls would have on the company's SEC filings.

In addition, the chief executive officer and chief financial officer must consider whether a material weakness raises a concern about their certifications required under Sections 302 and 906 of the Act. Finally, companies should be prepared for the potential of comments from the SEC relating to disclosures of weaknesses, particularly material weaknesses.

What Is Expected from the First Tranche of Internal Control Reports?

Some practitioners have speculated that as many as 80% of public companies will report the presence of certain specific deficiencies, nonetheless concluding that, overall, their internal controls are “effective.” This may be particularly true for smaller companies, whose internal controls have never been the basis for the preparation of the year-end examination and report by the auditors. While very large companies may undergo an audit that is, in effect, a review of pre-existing internal controls, that has not been the case for companies in or below the “middle market.”

What Is a Material Weakness?

This is the central examination. Examples of materiality in a weakness include (this is a non-exclusive list): ineffective Audit Committee supervision; restatement of prior financial statements within the period (for example, being required to restate the financial statements for a prior quarter); ineffective internal audit compliance or regulatory compliance; presence of fraud within the company, particularly involving senior management; any uncorrected but previously reported material weakness (if it is on the list the first year and you do not correct it, you do not get a second chance); or a material adjustment by the auditors not picked up by internal controls.

This last item is the subject of some controversy. Seemingly, if a company has closed its books and has failed to pick up a material adjustment that is then discovered by the auditors, this could constitute a “material weakness” even though it is corrected prior to the issuance of a financial statement or the making of any SEC filing. This analysis might induce a company to hire other accountants to assist in closing its books, before anything is shown to the auditors, to avoid a “foot-fault” in a circumstance where (whatever the “weakness”) no actual accounting error actually occurred.

What About Costs?

There is confusion and wide variance in speculation about costs. A recent round-table of Sarbanes-Oxley practitioners suggested that a company with $50 million in annual revenues might expect to spend $750,000 for all initial Act compliance, including compliance with Section 404, with costs increasing as company size increased. Certain factors could substantially affect cost, including the presence or absence of numerous or foreign places of business, the number of transactions involved in the normal flow of a company's business and the size of the enterprise.

Anecdotal information suggests that conversations with the SEC revealed an awareness that the SEC had underestimated the cost of Section 404 compliance (although the SEC remained adamant that the benefits are worth the price). In an event that demonstrates the SEC's sensitivity, it was reported that, in a recent transaction of a public company “going private,” one of the articulated reasons was to save the substantial costs of Act compliance. Reportedly, the company had to carefully negotiate with the SEC the exact language of the disclosure related to the reasons for the going-private decision.

Effect on Private Companies

Although Section 404 does not directly affect private companies, if a private company is anticipating going public it should place itself in a position to comply with Section 404. In addition, a public company acquiring a private company now has a potentially significant problem. Section 404 diligence in acquisitions will become a staple of public company growth. The chief executive officer and chief financial officer of the acquiring public company are required each quarter to certify under Sections 302 and 906 of the Act as to the adequacy of the company's accounting procedures as of the end of the period. Since that certification covers the entire company, officers may have particular concern in closing an acquisition near the end of a quarter, which would result in their certifications covering the internal controls over that acquired company, even if the acquisition target was under those officers' control for only a short period prior to the end of the quarter.

Conclusion

Management reports and auditor attestations soon to appear in Annual Reports will be closely watched by the Bar and the investment community. Will detailed analysis of financial control mechanisms in fact improve the quality of financial reporting? Some of our historical disasters are more the fault of avarice on the part of (a small fraction of ) corporate executives. To the extent that intentional fraud is committed in a systematic manner, the preventive value of improved internal controls remains to be seen.