Abstract
This paper aims to examine
how differences in opinions on the material weaknesses identified in the
auditor's assessment of the financial statements, and internal control as a
whole affect investment analysts' assessment of the financial strength of the
company and willingness to recommend the stock for purchase to clients. It also
aims to examine how the auditor's opinion on management's performance on
internal control affects investment analysts' assessment. The findings indicate
that adverse audit opinions on the effectiveness of internal control result in
investment analysts making a higher assessment of company risk, a lower
assessment of the strength of internal control over financial reporting, and a
marginally significant difference in the likelihood of recommending stock to
their client. It is therefore evident that auditors' assessment of internal
control risk provides information to investment analysts by examining the
implications of Section 404 of the Sarbanes-Oxley Act on the judgment of users
of financial statements.
This paper provides a
theoretical investigation of the effects of the Sarbanes-Oxley Act of 2002 on
auditing intensity and internal control strength. It is important to note that
controls tests are a valuable tool for the auditor when control strength is
informative about the likelihood of fraud, which serves as a tool of security
for prospective investors. It is true that Sarbanes-Oxley has the desired
effect of inducing stronger internal control system and less fraud, but does
not necessarily induce higher level of control testing.
The Securities and Exchange
Commission and the Public Company Accounting Oversight Board held their joint
roundtable in May to discuss second-year experiences with the reporting and
auditing requirements of the Sarbanes-Oxley Act of 2002. The goal of the joint
roundtable was to seek feedback on experiences with complying with the Section
404 internal control requirements in order to develop policies to effectively
and efficiently improve the reliability of financial statements for the benefit
of investors.
Introduction
The
Sarbanes-Oxley Act (SOX) of 2002 significantly expanded the rules for corporate
governance, disclosure, and reporting. It emphasizes the critical role of
internal control over financial reporting in an effort to enhance
accountability and restore investor confidence after the huge financial and
accounting scandals which saw the end of Enron and Arthur Anderson.
Specifically, Section 404 of the Sarbanes-Oxley Act (Enhanced financial
disclosures and management assessment of internal control) in conjunction with
the related Securities and Exchange Commission (SEC) rules and Auditing
Standard No. 2 established by the Public Company Accounting Oversight Board
(PCAOB) requires management of a public company to report annually on the
effectiveness of the company's internal control over financial reporting. Under
the new reporting requirements, investors and other users of financial
statements may be required to make investment and credit decisions based on an
independent auditor's report that may have differing opinions.
This
paper examines how different opinions on the material weaknesses identified in
the auditor's assessment of internal control and financial statement affects an
investment analysts' assessment of the financial strength of the company and
the willingness to recommend the stock for purchase to clients. Section 404 of
the Sarbanes-Oxley Act provides additional information to investors and other
users of financial statements pertaining to the effectiveness of the company's
internal control over financial reporting. Disclosure of information about
risks and uncertainties has become an increasingly important part of financial
reporting (Linsmeier and Pearson, 1997).
It
is important to note that in conjunction with the audit of the company's
financial statements, the company's independent auditor is required to issue a
report on internal control over financial reporting, which includes both an
opinion on management's assessment and an opinion on the effectiveness of the
company's internal control over financial reporting. The auditing requirements
also highlight the concept of a material weakness in internal control over
financial reporting, and mandate that both management and the independent
auditor must publicly report any material weaknesses in internal control over
financial reporting that exist as of the fiscal year end. A material weakness
is a deficiency or combination of deficiencies, in internal control over
financial reporting, such that there is a reasonable possibility that a
material misstatement of the company’s financial statements will not be
prevented or detected on a timely basis. The existence of a single material
weakness requires management and the independent auditor to conclude that
internal control over financial reporting is not effective.
The
effect of internal control reporting on investors' judgments
The
importance of internal control and the need for internal control standards are
issues that have been addressed by regulators and the profession. Prior to the
fraudulent financial reporting practices and resulting decline in investor
confidence in the early 2000s, the disclosure of internal control deficiencies
was not required in the audit report. Audit standards required the auditor to
report significant internal control deficiencies to the audit committee and to
use the assessment of the control risk to determine the nature, timing, and
extent of substantive testing. Sarbanes-Oxley (SOX 2002) mandated new
disclosures about and assessments of internal controls. Speaking in terms of
specifics, Section 404 requires management to annually disclose its assessment
of the firm's internal control structure and to include the corresponding
opinion by the firm's auditors on management's assessment of the firm's
internal control, as well as the auditor's opinion on the internal control
structure of the firm. Prior literatures have provided limited empirical
evidence on the impact of the internal control reporting requirements of SOX on
investors' evaluations of firms (Bierstaker, J.L. and Wright, S. 2004).
In
an investigation of the market reaction to internal control deficiency
disclosures, I found that firms reporting internal control deficiencies exhibit
significantly high risk and cost of capital relative to firms not reporting
internal control deficiencies. In contrast, other findings using different
sample, design and cost of capital estimation find no association between
internal control weaknesses and cost of capital. Our study highlights issues
addressing the impact of SOX legislation by examining the impact of internal control
deficiency disclosures on the investment decisions of individual investors.
Accounting
policy makers consider investors an important user group for accounting
information; as a result of this, most empirical test of the impact of
accounting information on investors have taken a "macro" approach,
investigating the market's aggregate response to accounting data, relying on
the capital asset pricing model. However, a few prior studies have
experimentally investigated whether risk judgments and investment decisions of
individual investors are affected by the variables noted in portfolio theory
(variance of returns and covariance of returns with the market return) and/or
accounting risk measures. It is important to note that when accounting
information and market measures are in conflict, the participant's risk
judgments correspond with accounting measures rather than market measures
(Bedard, J.C. and Graham, L.E. 2002). Furthermore, in a study examining how
investors perceive risk, both the decision-theory variables (probabilities and
outcomes) and behavioral variables are important in explaining investors' risk
judgments. Specifically, there is a demonstration that potential loss outcome
has an indirect, as well as a direct, effect on risk perceptions. Higher
potential loss outcomes lead to greater perceived risk. Additionally, higher
potential loss outcome has an indirect effect on perceived risk via its
influence on behavioral variables that measure a risky item's perceived
controllability and voluntariness, as well as the amount of worry and
catastrophic potential associated with the item or investment (PCAOB 2005).
However,
auditors should note how investors process and evaluate accounting information
in studies utilizing experimental tasks. Auditors and investment analysts
should make risk judgments given differences in opinions regarding management's
assessment of internal control and the auditor's assessment of internal control
in an experimental task. Specifically, the auditor examines the effect of internal
control deficiencies on investment analysts' assessment of the financial
strength of the company and the willingness to recommend the stock for purchase
to clients. When the auditors give an adverse opinion on the effectiveness of
internal control over financial reporting because of the existence of a
material weakness, we expect to find that investment analysts would assess a
higher risk for the firm than when the auditors give an unqualified opinion on
internal control over financial reporting. Furthermore, we expect that
investment analysts would be less likely to recommend firm stock to a client
when there is an adverse opinion on the effectiveness of internal control over
financial reporting because of a material weakness than when there is an unqualified
opinion on financial statements and on internal control over financial
reporting.
Effective
Internal Control over Financial Reporting
Internal
control over financial reporting is a process designed and maintained by a
company’s management to provide reasonable assurance about the reliability of
financial reporting. Effective internal control over financial reporting is
vital to the proper recording of transactions and the preparation of reliable
financial reports. An effective internal control process is comprehensive and
involves people at all levels throughout a company, including those who keep
accounting records, prepare and disseminate policies, and monitor systems, as
well as people in a variety of operating roles. In addition, the process is influenced
by a company’s board of directors and its audit committee, which has
responsibility for oversight of the financial
reporting
process. Under Section 404, a company’s management must assess the
effectiveness of
internal
control over financial reporting as of the company’s fiscal year-end. The
independent auditor will then report on management’s assessment, and on the
effectiveness of the company’s internal control over financial reporting.
Effective
internal controls are fundamental to investor confidence in financial reporting
because they help to deter fraud and to prevent inaccurate financial
statements. With more than half of U.S. households investing in the capital
markets, either directly or through retirement funds, the new requirements of the
Sarbanes-Oxley Act (2002) are expected to have a significant beneficial impact
on investment and the capital markets. One of the most visible changes that
investors have noticed is the new reports by management and the independent
auditor on a company’s internal control over financial reporting. A primary
purpose of this publication is to help investors and other financial market
participants better understand and interpret these new reports, which will be
provided in addition to the independent auditor’s report on the company’s
external financial statements American (AICPA 2002).
The New Reports for
Investors
Section
404 of the Sarbanes-Oxley Act institutes a new reporting model that will
require management’s assessment of internal control over financial reporting
and the related auditor’s report on internal control over financial reporting
to be included in a company’s annual report on Form 10-K filed with the
Securities and Exchange Commission (SEC). The SEC strongly encourages
registrants to include the internal control
reports in annual reports to shareholders as well, and has indicated that there
will be rulemaking in this area.
The
new reports that investors will see are the following:
•
Management’s report: Management will state its responsibility
for maintaining adequate internal control over financial reporting and give its
assessment of whether or not internal control over financial reporting is
effective. According to the rules, management cannot state that internal
control over financial reporting is effective if even one material weakness
exists at year-end.
•
Auditor’s report. The independent auditor will evaluate
and report on the fairness of management’s assessment. The auditor also will
perform an independent audit of internal control over financial reporting and
will issue an opinion on whether internal control is operating effectively as
of the assessment date (i.e., the company’s fiscal year-end). If one or more
material weaknesses exist at the company’s fiscal year-end, the auditor cannot
conclude that internal control over financial reporting is effective.
As
in the past, the independent auditor will also issue an opinion on whether the
company’s published financial statements are presented fairly in all material
respects in accordance with generally accepted accounting principles (GAAP).
This report may be combined with the auditor’s report on internal control over
financial reporting, or it may be presented separately.
Control
Deficiencies and What They Mean
When
an internal control deficiency is identified, management and the independent
auditor will evaluate its significance and determine whether it constitutes a
control deficiency, a significant deficiency, or a material weakness.
Deficiencies that are less serious than a material weakness (i.e., control
deficiencies and significant deficiencies) are required to be disclosed to the
audit committee and/or management, and management and the independent auditor
must evaluate less serious weaknesses to determine whether, when taken together,
they result in a material weakness.
All
identified material weaknesses that exist at the company’s fiscal year-end must
be disclosed in the public reports issued by management and the auditor.
Although not required by Section 404, some companies may also choose to
disclose significant deficiencies. If one or more material weaknesses exist at
the company’s fiscal year-end, management and the auditor must conclude that
internal control over financial reporting is not effective (Davis, J.T. 2006).
The
Public Company Accounting Oversight Board (PCAOB) has defined a material
weakness as a “significant control deficiency, or combination of deficiencies,
that results in more than a remote likelihood that a material misstatement of
the annual or interim financial statements will not be prevented or detected.”
A material weakness does not mean that a material misstatement has occurred or
will occur, but that it could occur.
Although
the law requires that management disclose material weaknesses, they provide no
specific guidance about the content of those disclosures. However, both the SEC
chief accountant and the PCAOB chairman have stated publicly that they expect
management’s report to disclose the nature of any material weakness, in
sufficient detail to enable investors and other financial statement users to
understand the weakness and evaluate the circumstances underlying it. The PCAOB
standard also requires that the independent auditor’s report provide specific
information about the nature of any material weakness and the actual and
potential effect on the company’s financial statements. Investors and other
financial statement users should evaluate each material weakness to understand
the nature, cause, and potential implications of the weakness.
It
is important to note that a company can report a material weakness in internal
control over financial reporting and still receive an unqualified, or “clean,”
financial statement opinion from the independent auditor. Whether management or
the auditor identifies a material weakness, management continues to be
responsible for the preparation of complete and accurate financial statements.
Therefore, management should take whatever steps are necessary to compensate
for the material weakness in the financial statement preparation process. By
expanding the scope of testing of account balances or altering the audit
approach in the area of weakness, the auditor may be able to conclude that the
company’s financial statements are fairly stated and thus issue an unqualified
opinion (PCAOB 2005).
Internal
control reporting provides additional information to the marketplace. The
expectation is that underwriters, analysts, rating agencies, lenders, and other
market participants will consider internal control reporting in their analysis
and evaluation processes for investment purposes.
In response
to recent corporate scandals, Congress passed the Sarbanes–Oxley Act of 2002
(SOX) which, among other things, requires that the auditor render an opinion as
to the effectiveness of a company’s system of internal controls. The assumption
implicit in this requirement is that the new internal control opinion provides
investors with value-relevant information (PCAOB 2005). My evidence suggests
that an adverse audit opinion on internal control over financial reporting
provides incremental value-relevant information to investors beyond that
contained in the financial statement audit opinion alone. Specifically I found
that an adverse audit opinion on internal controls over financial reporting
relative to an unqualified opinion is significantly associated with investors
assessing a higher risk of financial statement misstatement, higher risk of a
future financial statement restatement, higher information asymmetry, lower financial
statement transparency, higher risk premium, higher cost of capital, lower
sustainability of earnings, and lower earnings predictability. Overall, I
support the fact that the auditor’s opinion on the internal controls over
financial reporting provides investors and other financial statement users with
relevant information that will help them make prudent investment decisions.
I believe through
the creation of an ongoing management requirement, companies will learn from
their evaluation process and remediate identified deficiencies, which should
result in more reliable financial reporting and greater investor confidence.
Even with these new requirements in place, it is possible that management fraud
or errors will occur and not be detected. Internal control over financial
reporting is intended to provide reasonable assurance about the reliability of
financial reporting. This is a high level of assurance, but it is not absolute.
As the PCAOB standard recognizes, no system of internal control is absolutely
safe from human error or from manipulation and collusion. Even effective
internal control over financial reporting cannot offer absolute assurance that
a company is free of fraud or that misstatements in financial reporting will
always be prevented or detected on a timely basis. Investors and other
financial statement users should also understand that the reports on internal
control over financial reporting issued by management and the independent
auditor do not provide any form of assurance on the soundness of a company’s
business strategies or its ability to achieve desired financial goals.
References
Linsmeier, T. and Pearson,
N. (1997). Quantitative disclosures of market risk in the Securities and Exchange Commission release. Accounting Horizons, Vol. 11. pp. 107-35.
American Institute of
Certified Public Accountants (AICPA). (2002). The Consideration of Fraud in a Financial Statement Audit.
SAS No. 99 New York, NY AICPA
PCAOB
(2005), Public Company Accounting Oversight Board Issues Guidance on
Audits of
Internal Control,
available at www.pcaob.com/News_and_Events/News/2005/05
|
Bierstaker, J.L. and
Wright, S. (2004), Does the Adoption of
Business Risk Audit Approach Change Internal Control Documentation and Testing
Practices? International Auditing Journal, Vol. 8, pp. 67-78.
|
Bedard, J.C. and Graham,
L.E. (2002). The effects of decision aid orientation on Risk Factor Identification and Audit Test Planning",
Auditing: A Journal of Practice and Theory, pp. 39-56.
|
Davis,
J.T. (2006), Experience and auditors' selection of relevant information
for preliminary
control risk assessments", Auditing: A
Journal of Practice and Theory, pp. 16-37.
|
No comments:
Post a Comment