No Wiggle Room With Sarbanes-Oxley: Companies need a tight control system to fight financial fraud and miscues.

Enactment of the Sarbanes-Oxley law and issuance of related rules by the SEC have prompted these frequently asked questions on financial reporting and internal control from business executives: Does enhancing my internal control structure mean I have to significantly increase overhead? Do I have to disclose everything? If I must change the way I operate and report about the business, can someone provide some practical advice on how to deal with the new requirements? Practical “how-to” guidance is the centerpiece of this article, a follow-on to our explanation of the far-reaching features of the new regulatory structure which appeared in the December 2002 issue of Mergers & Acquisitions. Besides explaining the operational guidelines, we present an Internal Control Matrix to highlight the main points of implementing the rules. Internal Control Although Sarbanes-Oxley addresses a plethora of corporate governance issues, its focus from a financial reporting perspective is a regulatory response aimed at preventing future financial reporting scandals. One of the principal ways to accomplish this objective is to strengthen a company’s internal controls. In the current business environment, errors in financial statements generally result from: * Misappropriation of assets, by theft or by embezzling receipts, for example, or * Direct manipulation, falsification, or general misrepresentation of results in financial statements. While misappropriating assets can cost a company thousands, maybe millions, of dollars, fraudulent financial reporting may be in the billions and result in billion-dollar declines in market share and shareholder wealth. Management can address the risk of misappropriated assets through strong policies, systems, and procedures, much of which can be delegated. But managers must get directly involved in preventing fraudulent financial reporting and in otherwise reviewing financial statements for transparency. In other words, a reader should be able to “look through” what is reflected in the financial statements and related notes and understand the underlying transactions they purport to represent. The FASB’s Statements of Financial Accounting Concepts elaborate on transparency by addressing such concepts as “reliability” and “representational faithfulness.” Still another word describing representational faithfulness is “validity.” A transaction must be valid before it can be recorded. In this regard, all transactions should be reviewed and approved by a person or persons at least one level higher than the initiator of the transaction. Management can override or circumvent almost any established control, particularly as it relates to the preparation of financial statements, and this is why oversight by the audit committee of the board of directors is critical. If the daily recording of cash receipts and disbursements and revenues and expenses can be viewed as “routine” and subject to the appropriate level of internal control, material non-routine transactions need to be reviewed by senior management and again by the audit committee, especially if senior management initiated the transaction. It is no longer acceptable for the audit committee to allow senior management to clear the accounting for a material non-routine, new, or complex transaction with the outside auditor and receive a five-minute briefing on the process at the end of the year. That will no longer shield the audit committee from criticism, nor provide it with a defense if litigation ensues. The committee must thoroughly comprehend the economic substance of every material or otherwise significant transaction and understand what alternative accounting treatments may exist. In the end, the financial reporting of every transaction should follow the economic substance of the transaction, not just its form. As for so-called “routine” issues, a common situation will help answer the question of when it is necessary to incur more overhead for internal control. Anyone who goes to a movie theater gives his or her ticket to a ticket taker, perhaps unaware that the simple function of having someone other than the ticket issuer tear the ticket is a control procedure. Enlisting a second party forces a ticket issuer who may be leaning toward theft to include the ticket taker in any scheme. Even if we assume that the ticket taker also is dishonest and would go along with the scheme, the amount of the ticket issuer’s personal enrichment would be reduced, perhaps to the point where impropriety is not worth the effort, or the risk, of getting caught. However, the moviegoer may not encounter a ticket taker at a small theater or at the Sunday morning show of a large “10-plex.” What accounts for this violation of the basic internal control principle of segregation of duties? At the small house, the owner-manager may be issuing the tickets and would only be stealing from himself. The second case involves a cost-benefit issue. Is the cost of employing a ticket taker worth the benefit of a reduced risk of theft? Probably not, considering the small number of people attending the Sunday morning show. In the final analysis, running a business and instituting internal control procedures are all about assessing risk and making choices. From our simple movie theater example, we can see that management, perhaps more intuitively than formally, has been performing risk assessments and instituting systems of internal control when the business has expanded beyond their ability to oversee or control operations by themselves. The result is that a properly designed internal control structure creates efficiency and effectiveness of operations and compliance with laws and regulations. In a well-controlled environment, day-to-day operations run smoothly, almost automatically, and management can spend more time expanding the business and increasing profitability. Effectiveness of Internal Control The SEC first proposed, in 1979, that independent auditors attest in writing to the effectiveness of a public company’s internal control over financial reporting, in conjunction with enactment of the Foreign Corrupt Practices Act of 1977. It renewed the proposal in 1988 following recommendations of the National Commission on Fraudulent Financial Reporting, commonly referred to as the Treadway Commission. Neither proposal was adopted. However, independent written attestation of the effectiveness of internal control is virtually certain now, thanks to the massive scandals at WorldCom Inc., Enron Corp., and Tyco International Ltd. This is a significant development resulting from the passage of Sarbanes-Oxley, and possibly the most overlooked one. Managements should start planning for this inevitability now. As we mentioned in our December article, the independent auditor’s current testing of a company’s internal control under GAAP is not of sufficient depth or breadth to allow him or her to prepare an attestation report on its effectiveness. In fact, at smaller companies, the auditor may be performing few, if any, tests of the internal control. The SEC acknowledged the magnitude of its proposal in its Oct. 22, 2002, release that read: “[I]n many cases such [internal control] reviews [i.e., those performed as part of the annual audit of financial statements] may not be as thorough or as detailed as the proposed rules would require. We expect that companies and their auditor will require substantial time to develop processes under relevant standards and to train appropriate personnel to ensure compliance with these requirements imposed by the Sarbanes-Oxley Act. Similarly, companies and accounting firms likely will need additional time to actually perform these activities.” Documentation of Internal Control Most larger companies, by necessity, have an internal control structure that is documented to some degree, often in the form of manuals and formally written policies and procedures. Does this mean that such companies are home free? Not necessarily. And what about smaller companies that are not likely to have anything written? Must they hire a professional writer to develop internal control manuals? Again, not necessarily. We have nothing against written policies and procedures and internal control manuals, and have often encouraged our larger clients to maintain them. However, regardless of company size, flow charts and matrices often may be the simplest, best, and most economical way to document an internal control structure, including its design, actual internal control activities in place, and internal control monitoring practices. But make no mistake about it. Documentation is fundamental to the entire process. In a presentation to the 2002 National Conference on Current SEC Developments, Linda Griggs, a partner at the law firm of Morgan Lewis & Bockius, pointed out that “documentation of internal control will be critical in order for management to issue its report on internal control [and] for the outside auditors to opine on management’s assessment of the effectiveness of internal control…” To prevent fraud and promote transparency in financial reporting, the SEC is requiring public companies to have an internal control structure that is: “designed to provide reasonable assurance that the company’s transactions are properly authorized; assets are safeguarded against unauthorized or improper use; and transactions are properly recorded and reported to permit the preparation of the registrant’s financial statements in conformity with generally accepted accounting principles.” The SEC believes that these objectives are embodied in the definition of the term “internal control” as the term appears in professional auditing standards. It acknowledges that the source of the internal control definition used in the auditing literature comes from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in its report entitled Internal Control – Integrated Framework, which provides not only a definition of internal control but a framework for evaluating its effectiveness. Internal control as defined in the COSO report, however, has a broader meaning than just accuracy in financial reporting: “Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: * Effectiveness and efficiency of operations; * Reliability of financial reporting; and * Compliance with applicable laws and regulations.” COSO establishes a direct relationship between these three stated objectives of internal control and what they refer to as internal control components, i.e., that which is needed to achieve the objectives. In this regard, COSO established the following five interrelated internal control components: Control environment Control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. The control environment comprises the attitudes, abilities, awareness, and actions of any entity’s personnel, especially its management, as they affect the overall operation and control of the business. Management’s actions in enforcing a company’s code of conduct, for example, would be one aspect of the control environment. Management is advised to consult with legal counsel regarding the SEC’s final rules for corporate codes of ethics. In our view, if a company does not have an official code of conduct, or hasn’t updated it in several years, now is the time to do so. Risk assessment Risk assessment involves management’s identification and analysis of relevant risks to achievement of its objectives. The results form a basis for determining how risks should be managed. But objectives must be set before management can identify the associated risks and take actions to manage them. Control activities Control activities are the policies and procedures that help ensure that management directives are carried out, specifically the actions that address risks to the achievement of objectives. Information and communication systems Information and communication systems, which should be an integral parts of operations, support the identification, capture, and exchange of information that enable people to carry out their responsibilities. Monitoring Monitoring is a process to assess the quality of internal control performance – determining whether a company’s internal control is operating as intended and how to modify, when necessary. A company’s internal audit department should perform monitoring, but a company may have to seek independent outside assistance if it doesn’t have an internal audit department or if there are other problems. The company’s regular auditor would not do the monitoring because that would violate auditor independence rules. In the context of the financial statement, significant activities usually include sales and purchasing, along with several subsets of purchasing, such as inventory purchasing, fixed-asset purchasing, and general expenditures. Depending on how diversified the company is, there may also be subsets within sales. Establishing an internal control structure by business segment (as reported in the notes to the financial statements) instead of by activity may be the better way to proceed, depending on how a company truly operates and controls its business. In our view, if a company is now required by law to ascertain that it has the right internal control over financial reporting to properly authorize, record, and report its transactions and safeguard its assets, it should also address operating effectiveness and efficiency as well as compliance with laws and regulations that affect its business. By going through the process of formally developing an internal control structure, management actually may find redundant controls that can be eliminated and determine ways to improve effectiveness and efficiency that result in cost savings. It also can help comply with disclosure controls that will be addressed later. The Internal Control Matrix The authors have developed an Internal Control Matrix (see pages 24 and 25) to help management design an internal control structure using the COSO components of risk assessment, control activities (including information systems), and monitoring. The control environment, which includes an official company code of conduct, should be established by management in concert with legal and accounting advisers and thus is not shown in the Matrix. Although they are not required by Sarbanes-Oxley, the COSO objectives of effectiveness, efficiency, and compliance are included in the Matrix. By way of example, the Matrix presents a simplified version of a typical company’s sales activities. It does not include many of the unique or specialized types of sales transactions that some companies have, but it should provide a framework that can be adapted to these situations. The Matrix depicts the general objectives of internal control over financial reporting across the top and the specific objectives of internal control related to sales on the side. The general objective is to make sure that all recorded revenue represents actual shipments of goods or rendering of services to real customers, as authorized by responsible personnel. It goes into such areas as the risks of errors in sales transactions to guard against invalid or fictitious sales that may result in an overstatement of revenues, receivables, and income. What control activities can be employed to reduce the risks and achieve the objectives? We offer two activities to accomplish those goals in the Matrix. How effective are these activities and procedures working? This is where monitoring comes into play. The Matrix suggests taking a sample of transactions and examining supporting documentation, such as sales orders, invoices, and shipping documents, for evidence of the appropriate authorization. If you choose to incorporate effectiveness, efficiency, and compliance objectives into the Matrix, it can be expanded accordingly. Use the Matrix to establish and document objectives for each significant activity; assess what could go wrong (i.e., the risks); institute the appropriate control activities, procedures, and techniques to address the risks; and monitor these controls to determine their effectiveness. The Matrix, together with the actual results and supporting documentation of monitoring procedures, should be presented to the external auditor as part of the annual attestation procedures that are under consideration by the SEC. However, monitoring should be performed quarterly to assist the CEO and CFO in the required certifications of internal control in the company’s Form 10-Q filings. Disclosure Controls The SEC has created the new term “disclosure controls and procedures” to differentiate them from the existing concept of “internal control.” The entire concept of “controls” as contemplated in the law, the SEC believes, covers not only financial disclosures required by GAAP and its Regulation S-X but all material non-financial disclosures as well. Disclosure control procedures should provide reasonable assurance that significant business transactions and activities are disclosed to shareholders and the investing public. An excellent source for identifying possible non-financial disclosures is the SEC’s Regulation S-K. We have developed a Regulation S-K Checklist that can be used by management in identifying possible non-financial disclosures. When used in conjunction with a financial statement GAAP checklist, most material financial, and non-financial, disclosures should be included in a registrant’s filings with the SEC. Space limitations do not allow us to provide this checklist here but it is available upon request (see end of article for contact information). Disclosure control checklists notwithstanding, senior management should take additional steps to be reasonably certain that all significant business risk factors are disclosed within the SEC’s concept of disclosure controls. The SEC offers an excellent suggestion to help companies comply with the requirements by recommending that the company create a senior committee to consider the materiality of information and determine disclosure obligations on a timely basis. While management’s responsibility for disclosure controls is similar to its responsibility for internal control, a separate independent auditor attestation of disclosure controls is not required. Materiality Materiality, like beauty, is in the eye of the beholder. However, recent actions by the SEC appear to be lowering the threshold for materiality. For example, the financial restatement announced by AOL Time Warner Inc. is particularly noteworthy. In a Form 8-K filing, AOL said that following a review of certain advertising and commerce transactions at one of its divisions, the financial results for each quarter for the two-year period ended June 30, 2002, would be restated. The restatements represented approximately 1% of the AOL division’s total revenues for the two years, about 3.4% of its advertising and commerce revenues, and about 1.6% of its earnings before interest, taxes, depreciation, and amortization. The AOL amounts seem small in comparison to the Waste Management Inc. situation. In a March 26, 2002, enforcement action, the SEC imposed sanctions and penalties against six former officers of Waste Management, and in earlier related actions against its auditors, Arthur Andersen, and four of its partners. The SEC alleged that Arthur Andersen knew that Waste Management’s net income was overstated by at least 12% in certain years, and somehow concluded that was immaterial. Waste Management’s subsequent reports revealed even greater overstatements. Clearly 12% is material. But is 1% also material? It depends. If that’s the case, is there any official guidance on determining materiality to help management in determining what is and isn’t material? Let’s look for guidance from the U.S. Supreme Court and what it said in 1976 in the seminal TSC Industries v. Northway Inc. ruling (426 U.S. 438; 449). The court held that a fact is material if there is “a substantial likelihood that the…fact would have been viewed by the reasonable investor as having significantly altered the total mix’ of information made available.” Looking for something perhaps a little bit less ambiguous? Let’s see what guidance the SEC offers. The agency’s official position on materiality can be found in Regulation S-X (Rule 1-02) as follows: “The term material,’ when used to qualify a requirement for the furnishing of information as to any subject, limits the information required to those matters about which an average prudent investor ought reasonably to be informed.” Less official, but often more definitive guidance can be found in SEC Staff Accounting Bulletins (“SABs”), which represent interpretations and practices followed by the agency’s staff in administration of federal securities laws. In 1999, under the direction of then Chief Accountant, Lynn Turner, the staff issued SAB No. 99, simply entitled Materiality, which implemented the substance of former Chairman Arthur Levitt’s famous 1998 “Earnings Management” speech at the NYU Center for Law and Business and gave companies and their auditors some specific guidance on materiality. In SAB 99, the staff expresses the view that exclusive reliance on quantitative benchmarks to assess materiality in preparing and auditing financial statements is inappropriate and that misstatements are not immaterial simply because they fall beneath a numerical threshold. While the staff did not object to using a percentage threshold as an initial assessment of materiality, the bulletin clearly says that exclusive use of such thresholds has no basis in law or in accounting literature. In assessing materiality, one must consider qualitative factors, i.e., the nature of the misstatements, as well as the quantitative factors. As Levitt said in his speech: “materiality is not a bright line cutoff of 3% or 5%.” To assist management and the audit committee in deciding when to record financial statement adjustments and how to make financial and non-financial disclosures, we have developed a Materiality Checklist based on the guidance in SAB 99, also available on request. If there are errors in financial statements, even if immaterial in the current year, it is probably wise to correct them now. If the errors are allowed to build up, they may become material in the future. Correct them now and be done with them. Recent SEC Rules Since our December article was published, the SEC has been busy writing proposed and final rules implementing various sections of Sarbanes-Oxley, which require additional guidance. Audit committee financial expert On Jan. 15, 2003, the SEC adopted final rules regarding appointment of an Audit Committee Financial Expert. They specify that the expert must understand internal controls and procedures for financial reporting and the GAAP used to prepare financial statements of comparable complexity, particularly in the areas of accounting for estimates, accruals, and reserves. Because GAAP-based financial statements are prepared by using the accrual basis of accounting, in contrast to the cash basis, and the use of estimates is pervasive throughout the statements, the required grasp of GAAP is no minor skill. Consider the complexity of establishing proper estimates for the allowance of doubtful accounts, inventory obsolescence, pensions, stock options, goodwill and other asset impairments, and warranty liabilities, as well as valuing derivatives and other financial instruments, to cite just a few of the more complex estimates. In his Earnings Management speech, Levitt talked a great deal about accounting “reserves” and their susceptibility to abuse. Accounting reserves represent one of the most misunderstood topics in financial reporting. Suffice it to say that reserves should not be established until it is “probable” (as that term is used in FASB Statement No. 5, Accounting for Contingencies) that an asset has been impaired or a liability has been incurred. In addition, reserves only can be established for a specific purpose since FASB No. 5 prohibits the use of “general” reserves. Once the reason for a reserve no longer exists, the entry should be reversed immediately and not used for any other purpose. Finally, a reserve should never be purposely overestimated at its inception with the intention of generating future income by the later reversal when it is required. Approval of non-audit services As discussed in the original article, Section 201 of Sarbanes-Oxley lists nine non-audit services that would impair the external auditor’s independence if the outside firm provides them. Section 201, however, allows engagement of the auditor to perform “any non-audit service, including tax services,” that are not expressly prohibited by the act and are approved by the audit committee. There were many who were disappointed that the SEC’s final rules did not impose some form of limitation on external auditors providing tax services to clients, especially in the area of tax shelters. The audit committee should be particularly concerned about this because the SEC, by avoiding the issue, effectively shifted responsibility to the committee. The audit committee thus is warned to be particularly sensitive to how shareholders would view the appearance of the external auditor that advocates tax shelters and other aggressive tax positions. Attorney conduct rules Probably the most controversial of all of the SEC’s proposed rules deals with the conduct of attorneys practicing before the SEC in servicing public companies. On Jan. 23, 2003, the SEC approved some of the rules it proposed in November 2002 and modified others, including the rules covering attorneys, thus offering the public 60 more days to comment on the changes. Section 307 of the law requires an attorney to report evidence of any material violation of securities law, breach of fiduciary duty, or similar violation by the company or its agents thereof, to the company’s chief legal officer (CLO) or CEO. If a “reporting attorney” does not receive an appropriate response from the CLO or CEO, he or she is required to report the evidence of the violation or breach to the audit committee, another committee of independent directors, or the full board. The controversy that surrounds this is not centered on this “up-the-ladder” reporting as much as on the so-called “noisy withdrawal” provision added by the SEC last November. It requires attorneys to withdraw from representing a registered company and to notify the SEC that they have severed relations when the reporting did not produce an appropriate response from the company. In comment letters to the SEC, attorneys expressed concern that a noisy withdrawal would constitute a violation of the traditional attorney-client privilege. An alternative proposal would shift the burden of informing the SEC from the attorney to the company, principally through a company-sponsored qualified legal compliance committee. How all this will play out will only be determined when final rules are adopted. Audit committee expertise Without some help, the audit committee cannot be all things to all people. The SEC acknowledges that the committee will not be expert on all accounting, financial reporting, income tax, or legal matters and will need to engage its own outside advisers, apart from those that work for management, especially when potential conflicts of interest may be apparent. Fortunately, the law and the SEC rules specifically grant the audit committee the authority to engage outside advisers, from any discipline, to carry out its duties. The SEC further acknowledges that a committee’s effectiveness may be compromised if it is dependent on management’s discretion to compensate the external auditor or its own advisers. Accordingly, proposed rules would require the company to provide appropriate funding, as determined by the audit committee, to pay the external auditor and any other advisers it employs. This proposal recognizes that the audit committee may not be able to perform its duties objectively and the advisers also could be compromised if only management had the power of the purse. Without assurance of adequate funding, both the audit committee and its advisers might be less willing to tackle disagreements with management. The audit committee should take advantage of its access to funds. The membership simply cannot be accountant, financial analyst, tax expert, and lawyer at the same time, especially at smaller companies. Laurence Goldfein is a Principal at Eisner LLP and General Counsel and Chairman of the company’s Legal Support Services Department. David Cace, a CPA, is a Partner at Eisner and a member of the firm’s Technical Services Group and Legal Support Services Department. Editor’s Note: Anyone who would like copies of the Regulation S-K Checklist or the Materiality Checklist should e-mail the authors at: [email protected]. Copyright 2003 Thomson Media Inc. All Rights Reserved.