SEC and SOX plus COSO 2013 News
I want to share two situations/reports. The first relates to SOX, the second to COSO 2013.
SEC Charges SOX 302 Violation
Here are the key points in the SEC’s remarks:
The Sarbanes-Oxley Act of 2002 requires a management’s report on internal controls over financial reporting to be included in a company’s annual report. The CEO and CFO must sign certifications confirming they’ve disclosed all significant deficiencies to the outside auditors, reviewed the annual report, and attest to its accuracy.
The SEC’s Enforcement Division alleges that CEO Marc Sherman and former CFO Edward L. Cummings represented in a management’s report accompanying the fiscal year 2008 annual report for QSGI Inc. that Sherman participated in management’s assessment of the internal controls. However, Sherman did not actually participate. The Enforcement Division further alleges that Sherman and Cummings each certified that they had disclosed all significant deficiencies in internal controls to the outside auditors. On the contrary, Sherman and Cummings misled the auditors – chiefly by withholding that inadequate inventory controls existed within the company’s Minnesota operations. They also withheld from auditors and investors that Sherman was directing and Cummings participating in a series of maneuvers to accelerate the recognition of certain inventory and accounts receivables in QSGI’s books and records by up to a week at a time. The improper accounting maneuvers, which rendered QSGI’s books and records inaccurate, were performed in order to maximize the amount of money that QSGI could borrow from its chief creditor.
According to the SEC’s orders, Sherman and Cummings signed a Form 10-K and Sherman signed a Form 10-K/A each containing the false management’s report on internal controls over financial reporting. And each signed certifications required under Section 302 of the Sarbanes-Oxley Act in which they falsely represented that they had evaluated the report and disclosed all significant deficiencies to the auditors.
What is new is that the executives were found to have violated not only the annual Section 404 requirement that the SOX compliance program is generally focused on, but the quarterly Section 302 certification process.
I have been warning, in both my SOX book for the IIA and in my training classes that ‘one of these days’ somebody would be charged with a Section 302 certification violation. In my conversations with the SEC when I was writing my SOX book for the IIA, they indicated that Section 302 violation was a future rather than a current focus.
But here they are now.
In the Section 302 certification, the CEO and CFO personally sign, and therefore are liable, that the following statements are true:
“The registrant’s other certifying officer and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-15(e) and 15d-15(e)) and ICFR (as defined in Exchange Act Rules 13a-15(f) and 15d-15(f)) for the registrant and have:
- Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this report is being prepared;
- Designed such internal control over financial reporting, or caused such ICFR to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles;
- Evaluated the effectiveness of the registrant’s disclosure controls and procedures and presented in this report our conclusions about the effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and
- Disclosed in this report any change in the registrant’s ICFR that occurred during the registrant’s most recent fiscal quarter (the registrant’s fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant’s internal control over financial reporting; and
“The registrant’s other certifying officer and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the registrant’s auditors and the audit committee of the registrant’s board of directors (or persons performing the equivalent functions):
- All significant deficiencies and material weaknesses in the design or operation of ICFR which are reasonably likely to adversely affect the registrant’s ability to record, process, summarize and report financial information; and
- Any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant’s internal control over financial reporting.”
In the book, I say:
“…. prudence suggests that management:
- Has a reasonably formal, documented process for making the quarterly assessment that is included in the 10-Q and supports the Section 302 certifications.
- This can be included in the activities of the company’s disclosure committee, which most of the larger companies have established.
- The process should include the assessment of all internal control deficiencies known to management, including those identified not only during management’s assessment process but also by either the external auditors in their Sarbanes-Oxley work or by internal audit in its various audit activities.
- The system of ICFR must provide reasonable assurance with respect to the quarterly financial statements and the annual statements. The quarterly assessment is against a lower — typically one quarter the size — determination of what constitutes “material”.
- The process and results should be reviewed and discussed with the CEO and CFO to support their Section 302 certifications.
- Confirms that the external auditors do not disagree with management’s quarterly assessment.
- Understands ― which requires an appropriate process to gather the necessary information ― whether there have been any major changes in the system of internal control during the quarter. A major change can include improvements and degradations in the system of internal control. While Section 302 only requires the disclosure in the 10-Q of a material weakness and the communication to the audit committee of a material or significant deficiency, the correction of a significant deficiency may be considered a major change and, if so, should be disclosed.”
Question: Have you discussed with and obtained guidance from your legal team whether a potential material weakness identified by your periodic SOX testing means that the CEO and CFO should not say, in their current quarter Section 302 certification, that the disclosure controls are effective?
Mapping of Controls to COSO 2013 Principles is Wrong
I am still trying to get information on what the major auditing firms are telling clients about COSO 2013.
I was able to get on a call with a Deloitte practice partner and one of the SOX/COSO leaders in the Deloitte head office.
It was refreshing to hear that they understand that the top-down and risk-based approach mandated by PCAOB Auditing Standard Number 5 remains at the heart of the firm’s approach.
The head office leader made a comment that I like very much.
She said that many registrants are trying to map all their (key) controls from 2013 to one or more of the COSO principles.
This is wrong.
There is no such requirement, nor is it useful.
What is needed is to demonstrate which controls are being relied upon to support management’s determination whether the principles are achieved.
I cover this in detail in the SOX book and in my SOX Master Class training. Basically, my approach is to determine how a failure to achieve a principle might raise the level of risk of a material error or omission above acceptable levels; we then identify the key controls that will be relied upon to address such risks. Where the risk is assessed as low, management’s self-assessment of the controls may be sufficient.
Unfortunately, I know of at least one Deloitte senior manager who doesn’t understand.
I wonder how many other external audit teams are ‘requiring’ that companies do more than is necessary.
Please share through comments or private email to me at firstname.lastname@example.org.
I welcome your insights and observations.