Amid ongoing pressure from regulators, public companies can expect more pushback from auditors when they try to say with a straight face that a particular control lapse is only a significant deficiency meriting no disclosure to investors.
Staff members at the Securities and Exchange Commission have made plenty of noise over the past few years that they are perplexed to see very few disclosures of material weaknesses in the absence of any material misstatement. If a mistake is serious enough to be material, surely it is some material weakness in internal control that allowed it to happen, staff members have surmised. So why aren’t internal control reporting and auditing processes leading to the identification of such control lapses in advance of material misstatements?
Final disclosure requirements
Below the SEC lays out the final regulations for disclosure controls.
After consideration of the comments, we are adopting the proposals with several modifications. We are adopting as proposed the change of the evaluation date for disclosure controls to “as of the end of the period” covered by the quarterly or annual report. We are not specifying the point at which management must evaluate changes to the company’s internal control over financial reporting. Given that the final rules do not require a company to state the conclusions of the certifying officers regarding the effectiveness of the company’s internal control over financial reporting as of a particular date on a quarterly basis as proposed, as the company must with respect to disclosure controls and procedures, it is unnecessary to specify a date for the quarterly evaluation of changes in internal control over financial reporting. We believe that this change is consistent with the new accelerated reporting deadlines.
We are amending the proposal that would have required companies to disclose any significant changes in its internal controls. Under the final rules, a company must disclose any change in its internal control over financial reporting that occurred during the fiscal quarter covered by the quarterly report, or the last fiscal quarter in the case of an annual report, that has materially affected, or is reasonably likely to materially affect, the company’s internal control over financial reporting. Furthermore, we have deleted the phrase “or in other factors” from Exchange Act Rules 13a-14 and 15d-15 and the form of certification. Although the final rules do not explicitly require the company to disclose the reasons for any change that occurred during a fiscal quarter, or to otherwise elaborate about the change, a company will have to determine, on a facts and circumstances basis, whether the reasons for the change, or other information about the circumstances surrounding the change, constitute material information necessary to make the disclosure about the change not misleading.
While an evaluation of the effectiveness of disclosure controls and procedures must be undertaken on a quarterly basis, we expect that for purposes of disclosure by domestic companies, the traditional relationship between disclosure in annual reports on Form 10-K and intervening quarterly reports on Form 10-Q will continue. Disclosure in an annual report that continues to be accurate need not be repeated. Rather, disclosure in quarterly reports may make appropriate reference to disclosures in the most recent annual report (and, where appropriate, intervening quarterly reports) and disclose subsequent developments required to be disclosed in the quarterly report.
We note that, as required by the Sarbanes-Oxley Act, the quarterly certification regarding disclosure that the certifying officers must make to the company’s auditors and audit committee provides:
The company’s other certifying officer(s) and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the company’s auditors and the audit committee of the company’s board of directors (or persons performing the equivalent functions): (a) All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the company’s ability to record, process, summarize and report financial information; and (b) Any fraud, whether or not material, that involves management or other employees who have a significant role in the company’s internal control over financial reporting.
We expect that if a certifying officer becomes aware of a significant deficiency, material weakness or fraud requiring disclosure outside of the formal evaluation process or after the management’s most recent evaluation of internal control over financial reporting, he or she will disclose it to the company’s auditors and audit committee.
Auditors are taking that question to heart. At Compliance Week’s recent annual conference, auditors from Deloitte & Touche said they are having deeper conversations with the preparer community over whether that significant deficiency a company has conceded should really be identified as a material weakness instead.
It’s a touchy discussion, said Robert Crook, vice president of internal audit for Loews Corp., because the stakes are high. A material weakness has to be disclosed to investors, but a significant deficiency does not. “That could have an adverse effect on any kind of debt or equity offering,” he said. Loews reported a material weakness in 2005, for example, and it still shows up in searches, even though it has been remediated and doesn’t affect debt or credit ratings.
The difference between a material weakness and a significant deficiency is highly subjective, said John Fogarty, an audit partner at Deloitte. A material weakness is defined in SEC rules as a deficiency or combination of deficiencies that raise a reasonable possibility that a material misstatement will not be prevented or detected timely. That entails several separate judgment calls, he said.
Fogarty said he’s sat in on some of the discussions and witnessed the human bias and sense of denial that can factor into the analysis. Preparers will assert, for example, that compensating controls are providing a backstop to catch any material error that might have occurred, so that protects a lapse in control from being labeled a material weakness. They might anchor their analysis to evidence that supports their view, or disregard evidence that doesn’t.
“It’s not people sitting around dreaming up bad things to do,” he said. “That human bias spills over into the identification and assessment of deficiencies.”
So when a control lapse is identified, how does a company perform a fair analysis of whether it’s a material weakness that should be disclosed to investors or a significant deficiency that does not command that level of transparency? It’s more robust than simply asserting the lapse must not be a material weakness if no material misstatement has occurred.
That was the harsh lesson from a recent SEC enforcement action against Magnum Hunter Resources Corp., said Fogarty. The company identified a serious staffing problem in the accounting department, but did not concede it was a material weakness. There were not material accounting errors in the reporting periods covered by the enforcement order, but that didn’t mean the problem with controls was not material, the SEC said.
“You have to consider the potential misstatement,” said Fogarty. “You can’t over-emphasize the size of any misstatement that might have occurred. This is about what could occur.” The fact-gathering process is the first step to evaluating a control lapse, said Fogarty. “That part is not done as thoroughly as it should be.”
Bryan Marx, chief accounting officer for Flagstar Bank, said it’s important to evaluate what led to a control deficiency as a starting point in assessing the severity of the deficiency. That means getting into the business and the people or person responsible for the control to determine what went wrong. “This gets to that bias,” he said. “People may be slow to admit that they were the ones who caused a failure,” he said. So the examination should not rest solely on their input. “You have to get others involved and ask tough questions,” he said.
To get to the “could” factor, the analysis needs to look at not just a population of transactions but at an entire account balance where an error occurred, said Jeff Getz, an audit partner at Deloitte. If an accounting manager, for example, made a $20 million revenue error because he didn’t understand how to segregate multiple-element arrangements, that means the risk of error applies to the entire account balance, not just the actual error amount.
Auditors are being prodded by regulators to consider the implications of such a control breakdown. Maybe there’s a competency issue to explore. Maybe it’s a control design problem. Maybe it represents a breakdown in how the company has observed its internal control framework. “That’s all the stuff we are thinking about in just gathering the facts,” said Getz.
The deeper discussions on the distinction between a material weakness and a significant deficiency is also falling out of a period of a few years where the Public Company Accounting Oversight Board has tightened the screws on internal control audit work. The tension led to a boiling over in 2015 where the preparer community appealed to the PCAOB and the SEC for some dialogue on exactly what it would take to satisfy regulators.
That confabbing has proven fruitful, said Wes Bricker, deputy chief accountant at the SEC, in a separate discussion at the Compliance Week conference, and he urged companies to keep the dialogue going with their auditors. “As I take stock of the conversation, it does seem we would collectively benefit from continued dialogue about good risk assessments,” he said, including discussions about the level at which the risk assessment operates and the precision of the assessment.