How Requirement of Sarbanes-Oxley have Impacted Management

The Sarbanes-Oxley Act (SOX) of 2002 significantly expanded the rules for corporate governance, disclosure, and reporting. It emphasizes the critical role of internal control over financial reporting within companies in an effort to enhance their accountability and restore investor confidence after the huge financial and accounting scandals which saw the end of Enron and Arthur Anderson. Specifically, SOX is intended to enhance financial disclosures and management assessment of internal control in line with the related Securities and Exchange Commission (SEC) rules. Auditing Standard No. 2 established by the Public Company Accounting Oversight Board (PCAOB) requiring management of a public company to report annually on the effectiveness of the company's financial statement. Under the new reporting requirements, investors and other users of financial statements may be required to make investment and credit decisions based on an independent auditor's report that may have differing opinions.

This paper examines section 302 - management assessment of disclosure controls, section 404 - management assessments of internal controls over financial reporting and section 409. These three sections require companies to have a "timely" reporting of material events that have an impact on the financial reports and how they impact management. Disclosures on information of risks and uncertainties have become an increasingly important part of financial reporting (Linsmeier and Pearson, 1997). At the individual level the penalty for violating the provisions of Sarbanes-Oxley are significant. The most notable of penalties is reserved for Chief Executive Officers (CEOs) and Chief Financial Officers (CFOs) who are required to attest to the validity of the firm's financial reports. Individuals that violate this provision, either knowingly or unknowingly are subject to up to $5 million in fines and/or 20 years in prison (Claypool, Tackett, and Wolf 2004)

It is important to note that in conjunction with the management requirement to report on the effectiveness of internal control over financial reporting, it is also mandatory to make all relevant assessments on the disclosure of the control policies and procedures designed and implemented in respect of the operating effectiveness of the company and its financial statements. The company's independent auditors are also required to issue a report on the operating effectiveness of the internal control implemented by management and how they impact the financial reports. This includes both an opinion on management's assessment of the internal control policies and the effectiveness of their operation. The auditing requirements also highlight the importance of the concept of material weaknesses in the internal control and their impact on financial reporting. Both management and the independent auditor are mandated to prepare a public report on any material weaknesses in internal controls on the financial reports that exist at the fiscal year end. A material weakness is a deficiency or combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s financial statements will not be prevented or detected on a timely basis. The existence of a single material weakness requires management and the independent auditor to conclude that internal control over financial reporting is not effective.

With the passage of SOX, it was believed that the SEC and investors would possess a greater ability to hold a corporation's officers accountable for financial and accounting misdeeds. Thus, by certifying, the CEO and CFO have assured investors that the report does not contain any untrue statements of material fact that would make the statement misleading (Bass, Slavin, and Vogel, 2011). In order to maintain this requirement, management is to report on the effectiveness of internal control over financial reporting. The importance of internal control and the need for internal control standards are issues that have been addressed by regulators and the profession. Prior to the fraudulent financial reporting practices and resulting decline in investor confidence in the early 2000s, the disclosure of internal control deficiencies was not required in the audit report. Audit standards required the auditor to report on significant internal control deficiencies to the audit committee and to use the assessment of the control risk to determine the nature, timing, and extent of substantive testing. SOX mandated new disclosures about and assessments of internal controls. Speaking in terms of specifics, Section 404 requires management to annually disclose its assessment of the firm's internal control structure and to include the corresponding opinion by the firm's auditors on management's assessment of the firm's internal control, as well as the auditor's opinion on the internal control structure of the firm. Prior literatures have provided limited empirical evidence on the impact of the internal control reporting requirements of SOX on investors' evaluations of firms (Bierstaker, and Wright, S. 2004).

In an investigation of the market reaction to internal control deficiency disclosures, we found that firms reporting internal control deficiencies exhibit significantly high risk and cost of capital relative to firms not reporting internal control deficiencies. In contrast, other findings using different sample, design and cost of capital estimation find no association between internal control weaknesses and cost of capital. Our study highlights issues addressing the impact of SOX legislation by examining the impact of internal control deficiency disclosures on the investment decisions of individual investors.

Accounting policy makers consider investors an important user group for accounting information; as a result of this, most empirical test of the impact of accounting information on investors have taken a "macro" approach, investigating the market's aggregate response to accounting data, relying on the capital asset pricing model. However, a few prior studies have experimentally investigated whether risk judgments and investment decisions of individual investors are affected by the variables noted in portfolio theory (variance of returns and covariance of returns with the market return) and/or accounting risk measures. It is important to note that when accounting information and market measures are in conflict, the participant's risk judgments correspond with accounting measures rather than market measures (Bedard, and Graham, 2002). Furthermore, in a study examining how investors perceive risk, both the decision-theory variables (probabilities and outcomes) and behavioral variables are important in explaining investors' risk judgments. Specifically, there is a demonstration that potential loss outcome has an indirect, as well as a direct, effect on risk perceptions. Higher potential loss outcomes lead to greater perceived risk. Additionally, higher potential loss outcome has an indirect effect on perceived risk via its influence on behavioral variables that measure a risky item's perceived controllability and voluntariness, as well as the amount of worry and catastrophic potential associated with the item or investment (PCAOB 2005).

However, management should note how investors process and evaluate accounting information in studies utilizing experimental tasks. Management, auditors and investment analysts should make risk judgments given differences in opinions regarding management's assessment of internal control and the auditor's assessment of internal control in an experimental task. Specifically, the auditor examines the effect of internal control deficiencies on investment analysts' assessment of the financial strength of the company and the willingness to recommend the stock for purchase to clients. When the auditors give an adverse opinion on the effectiveness of internal control over financial reporting because of the existence of a material weakness, we expect to find that investment analysts would assess a higher risk for the firm than when the auditors give an unqualified opinion on internal control over financial reporting. Furthermore, we expect that investment analysts would be less likely to recommend firm stock to a client when there is an adverse opinion on the effectiveness of internal control over financial reporting because of a material weakness than when there is an unqualified opinion on financial statements and on internal control over financial reporting.

Again, internal control over financial reporting is a process designed and maintained by a company’s management to provide reasonable assurance about the reliability of financial reporting. Effective internal control over financial reporting is vital to the proper recording of transactions and the preparation of reliable financial reports. An effective internal control process is comprehensive and involves people at all levels throughout a company, including those who keep accounting records, prepare and disseminate policies, and monitor systems, as well as people in a variety of operating roles. In addition, the process is influenced by a company’s board of directors and its audit committee, which has responsibility for oversight of the financial reporting process. Under Section 404, a company’s management must assess the effectiveness of internal control over financial reporting as of the company’s fiscal year-end. The independent auditor will then report on management’s assessment, and on the effectiveness of the company’s internal control over financial reporting.

Effective internal controls are fundamental to investor confidence in financial reporting because they help to deter fraud and to prevent inaccurate financial statements. With more than half of U.S. households investing in the capital markets, either directly or through retirement funds, the new requirements of the SOX are expected to have a significant beneficial impact on investment and the capital markets. One of the most visible changes that investors have noticed is the new reports by management and the independent auditor on a company’s internal control over financial reporting. A primary purpose of this publication is to help investors and other financial market participants better understand and interpret these new reports, which will be provided in addition to the independent auditor’s report on the company’s external financial statements to Americans (AICPA 2002).

To add more, section 404 of the Sarbanes-Oxley Act institutes a new reporting model that will require management’s assessment of internal control over financial reporting and the related auditor’s report on internal control over financial reporting to be included in a company’s annual report on Form 10-K filed with the SEC. The SEC strongly encourages registrants to include the internal control reports in annual reports to shareholders as well, and has indicated that there will be rulemaking in this area.

The new reports that investors will see are the following:

• Management’s report: Management will state its responsibility for maintaining adequate internal control over financial reporting and give its assessment of whether or not internal control over financial reporting is effective. According to the rules, management cannot state that internal control over financial reporting is effective if even one material weakness exists at year-end.

• Auditor’s report. The independent auditor will evaluate and report on the fairness of management’s assessment. The auditor also will also perform an independent audit of internal control over financial reporting and will issue an opinion on whether internal control is operating effectively as of the assessment date (i.e., the company’s fiscal year-end). If one or more material weaknesses exist at the company’s fiscal year-end, the auditor cannot conclude that internal control over financial reporting is effective.

As in the past, the independent auditor will also issue an opinion on whether the company’s published financial statements are presented fairly in all material respects in accordance with generally accepted accounting principles (GAAP). This report may be combined with the auditor’s report on internal control over financial reporting, or it may be presented separately.

Management is also required to assess internal control deficiencies. When an internal control deficiency is identified, management and the independent auditor will evaluate its significance and determine whether it constitutes a control deficiency, a significant deficiency, or a material weakness. Deficiencies that are less serious than a material weakness (i.e., control deficiencies and significant deficiencies) are required to be disclosed to the audit committee and/or management, and management and the independent auditor must evaluate less serious weaknesses to determine whether, when taken together, they result in a material weakness. All identified material weaknesses that exist at the company’s fiscal year-end must be disclosed in the public reports issued by management and the auditor. Although not required by Section 404, some companies may also choose to disclose significant deficiencies. If one or more material weaknesses exist at the company’s fiscal year-end, management and the auditor must conclude that internal control over financial reporting is not effective (Davis, 2006).

The Public Company Accounting Oversight Board (PCAOB) has defined a material weakness as a “significant control deficiency, or combination of deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected (PCAOB, 2005).” A material weakness does not mean that a material misstatement has occurred or will occur, but that it could occur.

Although the law requires that management disclose material weaknesses, they provide no specific guidance about the content of those disclosures. However, both the SEC chief accountant and the PCAOB chairman have stated publicly that they expect management’s report to disclose the nature of any material weakness, in sufficient detail to enable investors and other financial statement users to understand the weakness and evaluate the circumstances underlying it. The PCAOB standard also requires that the independent auditor’s report provide specific information about the nature of any material weakness and the actual and potential effect on the company’s financial statements. Investors and other financial statement users should evaluate each material weakness to understand the nature, cause, and potential implications of the weakness.

It is important to note that a company can report a material weakness in internal control over financial reporting and still receive an unqualified, or “clean,” financial statement opinion from the independent auditor. Whether management or the auditor identifies a material weakness, management continues to be responsible for the preparation of complete and accurate financial statements. Therefore, management should take whatever steps are necessary to compensate for the material weakness in the financial statement preparation process. By expanding the scope of testing of account balances or altering the audit approach in the area of weakness, the auditor may be able to conclude that the company’s financial statements are fairly stated and thus issue an unqualified opinion (PCAOB 2005).

Internal control reporting provides additional information to the marketplace. The expectation is that underwriters, analysts, rating agencies, lenders, and other market participants will consider internal control reporting in their analysis and evaluation processes for investment purposes.

Timely, has been interpreted under section 409 of SOX to be two working days or less. This section also states that each issuer must disclose any information concerning material changes in the financial condition or operations of the company on a current basis. As soon as a company declares a material event, they must also document it before they are allowed to claim that they have adequate process controls under section 404 (One Hundred Seventh Congress 2002). Most of these material events normally occur between the date of preparation of financial statements and the date of their approval by the management. Such events must be reflected in the financial statements of a firm, in order to comply with the requirement of section 409. It would help to ensure relevance and reliability of the financial statement. Also, it would help build investors’ confidence on the “true and fair view” of its financial position. On the other hand, there are some events which are significant but non-material. These events need not be reflected in the financial statement but, has to be included in the footnote of a firm. To crown it all, the independent auditors has to determine whether an item is material or non-material based on the effect on investors.

Conclusion

In response to recent corporate scandals, Congress passed the Sarbanes–Oxley Act of 2002 (SOX) which, among other things, requires that the management assess the effectiveness of a company’s system of internal controls. The assumption implicit in this requirement is that the new internal control opinion provides investors with value-relevant information (PCAOB 2005). I believe through the creation of SOX as an ongoing management requirement, companies will learn from their evaluation process and remediate identified deficiencies, which should result in more reliable financial reporting and greater investor confidence. Even with these new requirements in place, it is possible that management fraud or errors will occur and not be detected since we have inherent risks. This may be due a dominant management team or a fraudulent collusion by employees. The independent auditor assesses financial statement of the prior year therefore they are limited by inherent risks. Internal control over financial reporting is intended to provide a reasonable assurance about the reliability of the financial reports. This is a high level of assurance, but it is not absolute. As the PCAOB standard recognizes, no system of internal control is absolutely safe from human error or from manipulation and collusion. Even effective internal control over financial reporting cannot offer absolute assurance that a company is free of fraud or that misstatements in financial reporting will always be prevented or detected on a timely basis. Investors and other financial statement users should also understand that the reports on internal control over financial reporting issued by management and the independent auditor do not provide any form of assurance on the soundness of a company’s business strategies or its ability to achieve desired financial goals. The intended users of the financial reports should also understand that it is not the auditors’ primary responsibility to prevent and detect fraud but may act as a deterrent as they have to express an opinion and give a reasonable assurance that the financial statements as a whole are free from material misstatements.

Also evidence suggested that an adverse audit opinion on internal control over financial reporting provides incremental value-relevant information to investors. This information is not provided in the financial statements and the audit opinion. Specifically I found that an adverse audit opinion on internal controls over financial reporting relative to an unqualified opinion is significantly associated with investors assessing a higher risk of financial statement misstatement, higher risk of a future financial statement restatement, higher information asymmetry, lower financial statement transparency, higher risk premium, higher cost of capital, lower sustainability of earnings, and lower earnings predictability. Overall, I support the fact that the auditor’s opinion on the internal controls over financial reporting provides investors and other financial statement users with relevant information that will help them make prudent investment and economic decisions.

References

American Institute of Certified Public Accountants (AICPA). (2002). The Consideration of    Fraud in a Financial Statement Audit. SAS No. 99 New York, NY AICPA

Bass, S. L., Slavin, N. S., & Vogel, G. M. (July, 2011). Sarbanes-Oxley's CEO and CFO Certification Requires Scienter to Protect Investors. CPA Journal; Vol. 81 (7) 62-66,

Bedard, J.C. and Graham, L.E. (2002). The effects of decision aid orientation on Risk Factor   Identification and Audit Test Planning", Auditing: A Journal of Practice and Theory, pp. 39-56. Claypool, G., J. Tackett, and Wolf, F. (2004), Sarbanes-Oxley and Audit Failure: A Critical Examination, Managerial Auditing Journal: Vol. 19, (3) 348-350. Davis, J.T. (2006), Experience and auditors' selection of relevant information for preliminary             control risk assessments, Auditing: A Journal of Practice and Theory, pp. 16-37.
Linsmeier, T. and Pearson, N. (1997). Quantitative disclosures of market risk in the Securities               and Exchange Commission release.  Accounting Horizons, Vol. 11. pp. 107-35. One Hundred Seventh Congress of the United States of America. (January 2002). Retrieved on November 25, 2011 from Find Law Website: www.news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley PCAOB (2005), Public Company Accounting Oversight Board Issues Guidance on Audits of             Internal Control. Retrieved on November 24 from PCAOB Website; www.pcaob.com/News_and_Events/News/2005/05
Bierstaker, J.L. and Wright, S. (2004), Does the Adoption of Business Risk Audit Approach    Change Internal Control Documentation and Testing Practices? International Auditing Journal, Vol. 8, pp. 67-78.