Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.


Status message

This is subscriber-only content, you are viewing with temporary unrestricted access. For full access, begin your free, no obligation 5-day trial.

Common SOX 302/404 Mistake: Not Assessing Controls Over Notes And Supplemental Disclosures

Leech Tim | February 17, 2004

One of the most common mistakes we still see in practice is too narrow an interpretation of what is covered by Section 302 and 404 control effectiveness representations.

Many companies appear to be under the mistaken impression that these representations relate only to the accounting processes that feed disclosures in balance sheets and income statements.

Subject to the usual caveat that readers should consult with their legal advisors, I see no basis in law for this narrow interpretation. The risk and control assessment work must include assessment of the effectiveness of the controls that ensure the reliability of all financial statement notes and all management discussion and analysis and supplemental disclosures in 10-K and 10-Q filings or face possible challenge from external auditors, the PCAOB, the SEC and/or the civil courts.

What Does SOX Say?

Here are the key passages ... bear with me, and note that the items in red are my emphasis:

Section 302(a)(2) directs CEOs and CFOs to acknowledge that "the report" (i.e. 10-K and 10-Qs) does not contain any untrue statement or omit to disclose relevant information.

Section 302(a)(4)(A) requires acknowledgement and responsibility for "establishing and maintaining internal controls".

Section 302(a)(4)(B) requires that CEOs and CFOs have designed "such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities … ".

And perhaps most importantly, Section 302(a)(5)(A) requires reporting of all deficiencies in the design or operation of "internal controls which could adversely affect the issuer's ability to record, process, summarize, and report financial data." (my emphasis).

What Do The SEC Final Rules Say?

The related SEC 302 and 404 final rules reference the responsibilities for "internal control over financial reporting." This term is further defined in the 404 final rules as:

A process designed by, or under the supervision of, the registrant's principal executive and principal financial officers …to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes …

PricewaterhouseCoopers December 2003 White Paper

PwC confirms the breadth of the requirements related to financial statement notes and supplemental disclosures in its excellent Dec. 2003 SOX 404 white paper:

Management must document the design of controls related to all relevant assertions for all significant statement accounts and disclosures.
Management must test controls related to relevant assertions for all significant financial statement accounts and disclosures

Likewise, every footnote, taken as a whole, rather than each individual amount in a footnote, should be presumed to be a significant disclosure.

Why Have So Many Done So Little?

Having discussed this issue with heads of internal audit and SOX project leaders from literally hundreds of companies — and, by the way, having found widespread ignorance of the breadth of the SOX laws and regulations in this area — it is worth speculating on the reasons.

  • Reason #1 - The SOX control assessment templates being used by many companies do not include specific questions requiring an examination of the risks and controls related to supplemental notes and management discussion.
  • Reason #2 - Historically, most internal audit departments have done little or no work to assess and report on controls in place to ensure accurate and reliable financial statement notes and supplemental disclosures.
  • Reason #3 - Unlike financial statements, note disclosures do not form part of the double-entry system of accounting. There is no need to book correcting entries to the accounts when evidence indicates that prior period note disclosures were wrong.
  • Reason #4 - When examining the entire universe of U.S.-listed public companies, notes and supplemental management discussion in 10-K and 10-Q have shown at least as high and perhaps substantially higher levels of inaccurate data than the accounts. This may be because notes and supplemental disclosures tend to be done at a very high level during the consolidation and reporting phase. Controls over notes and supplemental disclosures have generally generated less documented policy and procedures related to the processes that generate them.
  • Reason #5 - Many companies do not have personnel that can complete risk and control assessments without the aid of questionnaires. They have not yet had training in the new COSO ERM approach to risk and control assessment or using risk source models or control frameworks to ensure conformance to the full breadth of COSO control categories.

What To Do

If your company can't demonstrate that it has documented its assessments of risks and controls in place to ensure reliable notes and supplemental actions, you should consider asking — and addressing — these questions:

  1. Have you been including notes and supplemental disclosures?

    If you haven't already identified all of the financial statement notes and supplemental disclosures covered by these new rules — and documented and assessed the risks to their completeness and reliability — you should get started immediately. The effectiveness of controls related to these disclosures are supposed to be already covered by the representations being made each quarter in 10-K and 10-Q filings by CEOs and CFOs.

  2. How reliable have notes and supplemental disclosures been?

    Because there has been no visibility on the past accuracy of notes and supplemental disclosures of the type required to correct the accounts, companies should, if they haven't already, track and monitor the accuracy of the disclosures to determine which disclosures have demonstrated high error/inaccuracy rates. This "indicator" data is very important in forming an initial opinion on the likely reliability of the control system in place to ensure their reliability.

  3. Which notes have high subjectivity/judgment?

    The principles used to assess which accounts have high levels of judgment and subjectivity are also applicable when identifying which notes and supplemental disclosures may attract particularly high levels of attention. This includes such things as disclosures related to pending litigation, contingent liabilities, significant risks facing the business, future prospects and others.

  4. Are your External Auditors compromised?

    Many companies will need to assess the level of their external auditor's involvement in preparing financial statement notes and supplemental disclosures. In smaller companies in particular, external auditors have often played an important role drafting or influencing the extent of these disclosures.

    Legal advice should be sought in situations where the company's external auditor has played a material role developing and/or authoring this material. It could be argued that an external auditor is precluded from assessing the effectiveness of controls over these disclosures in companies where they have played important roles defining the content of financial statement notes and supplemental management discussion and analysis.

  5. What do industry analysts study/care about?

    An excellent way to determine the notes and supplemental disclosures that are considered particularly important is to formally identify the ratios, notes and areas that industry stock analysts track and study. This will help identify the particularly "high reliance" notes and disclosures.

This column solely reflects the views of its author, and should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented.