The Sarbanes-Oxley Act (SOX) of
2002 significantly expanded the rules for corporate governance, disclosure, and
reporting. It emphasizes the critical role of internal control over financial
reporting within companies in an effort to enhance their accountability and
restore investor confidence after the huge financial and accounting scandals
which saw the end of Enron and Arthur Anderson. Specifically, SOX is intended
to enhance financial disclosures and management assessment of internal control
in line with the related Securities and Exchange Commission (SEC) rules.
Auditing Standard No. 2 established by the Public Company Accounting Oversight
Board (PCAOB) requiring management of a public company to report annually on
the effectiveness of the company's financial statement. Under the new reporting
requirements, investors and other users of financial statements may be required
to make investment and credit decisions based on an independent auditor's
report that may have differing opinions.
This paper examines section 302 -
management assessment of disclosure controls, section 404 - management
assessments of internal controls over financial reporting and section 409. These three sections require
companies to have a "timely" reporting of material events that have an
impact on the financial reports and how they impact management. Disclosures on
information of risks and uncertainties have become an increasingly important
part of financial reporting (Linsmeier and Pearson, 1997). At the individual level the
penalty for violating the provisions of Sarbanes-Oxley are significant. The
most notable of penalties is reserved for Chief Executive Officers (CEOs) and Chief
Financial Officers (CFOs) who are required to attest to the validity of the
firm's financial reports. Individuals that violate this provision, either
knowingly or unknowingly are subject to up to $5 million in fines and/or 20
years in prison (Claypool, Tackett, and Wolf 2004)
It is important to note that in
conjunction with the management requirement to report on the effectiveness of
internal control over financial reporting, it is also mandatory to make all
relevant assessments on the disclosure of the control policies and procedures
designed and implemented in respect of the operating effectiveness of the
company and its financial statements. The company's independent auditors are
also required to issue a report on the operating effectiveness of the internal
control implemented by management and how they impact the financial reports.
This includes both an opinion on management's assessment of the internal
control policies and the effectiveness of their operation. The auditing
requirements also highlight the importance of the concept of material weaknesses
in the internal control and their impact on financial reporting. Both management
and the independent auditor are mandated to prepare a public report on any
material weaknesses in internal controls on the financial reports that exist at
the fiscal year end. A material weakness is a deficiency or combination of
deficiencies, in internal control over financial reporting, such that there is
a reasonable possibility that a material misstatement of the company’s
financial statements will not be prevented or detected on a timely basis. The
existence of a single material weakness requires management and the independent
auditor to conclude that internal control over financial reporting is not
effective.
With the passage of SOX, it was
believed that the SEC and investors would possess a greater ability to hold a
corporation's officers accountable for financial and accounting misdeeds. Thus,
by certifying, the CEO and CFO have assured investors that the report does not
contain any untrue statements of material fact that would make the statement
misleading (Bass, Slavin, and Vogel, 2011). In order to maintain this
requirement, management is to report on the effectiveness of internal control
over financial reporting. The importance of internal control and the need for
internal control standards are issues that have been addressed by regulators
and the profession. Prior to the fraudulent financial reporting practices and resulting
decline in investor confidence in the early 2000s, the disclosure of internal
control deficiencies was not required in the audit report. Audit standards
required the auditor to report on significant internal control deficiencies to
the audit committee and to use the assessment of the control risk to determine
the nature, timing, and extent of substantive testing. SOX mandated new
disclosures about and assessments of internal controls. Speaking in terms of
specifics, Section 404 requires management to annually disclose its assessment
of the firm's internal control structure and to include the corresponding
opinion by the firm's auditors on management's assessment of the firm's
internal control, as well as the auditor's opinion on the internal control
structure of the firm. Prior literatures have provided limited empirical
evidence on the impact of the internal control reporting requirements of SOX on
investors' evaluations of firms (Bierstaker, and Wright, S. 2004).
In an investigation of the market reaction
to internal control deficiency disclosures, we found that firms reporting
internal control deficiencies exhibit significantly high risk and cost of
capital relative to firms not reporting internal control deficiencies.
In contrast, other findings using
different sample, design and cost of capital estimation find no association
between internal control weaknesses and cost of capital. Our study highlights
issues addressing the impact of SOX legislation by examining the impact of
internal control deficiency disclosures on the investment decisions of
individual investors.
Accounting policy makers consider
investors an important user group for accounting information; as a result of
this, most empirical test of the impact of accounting information on investors
have taken a "macro" approach, investigating the market's aggregate
response to accounting data, relying on the capital asset pricing model.
However, a few prior studies have experimentally investigated whether risk
judgments and investment decisions of individual investors are affected by the
variables noted in portfolio theory (variance of returns and covariance of
returns with the market return) and/or accounting risk measures. It is
important to note that when accounting information and market measures are in
conflict, the participant's risk judgments correspond with accounting measures
rather than market measures (Bedard, and Graham, 2002). Furthermore, in a study
examining how investors perceive risk, both the decision-theory variables
(probabilities and outcomes) and behavioral variables are important in
explaining investors' risk judgments. Specifically, there is a demonstration
that potential loss outcome has an indirect, as well as a direct, effect on
risk perceptions. Higher potential loss outcomes lead to greater perceived
risk. Additionally, higher potential loss outcome has an indirect effect on
perceived risk via its influence on behavioral variables that measure a risky
item's perceived controllability and voluntariness, as well as the amount of
worry and catastrophic potential associated with the item or investment (PCAOB
2005).
However, management should note
how investors process and evaluate accounting information in studies utilizing
experimental tasks. Management, auditors and investment analysts should make
risk judgments given differences in opinions regarding management's assessment
of internal control and the auditor's assessment of internal control in an
experimental task. Specifically, the auditor examines the effect of internal
control deficiencies on investment analysts' assessment of the financial
strength of the company and the willingness to recommend the stock for purchase
to clients. When the auditors give an adverse opinion on the effectiveness of
internal control over financial reporting because of the existence of a
material weakness, we expect to find that investment analysts would assess a
higher risk for the firm than when the auditors give an unqualified opinion on
internal control over financial reporting. Furthermore, we expect that
investment analysts would be less likely to recommend firm stock to a client
when there is an adverse opinion on the effectiveness of internal control over
financial reporting because of a material weakness than when there is an
unqualified opinion on financial statements and on internal control over
financial reporting.
Again, internal
control over financial reporting is a process designed and maintained by a
company’s management to provide reasonable assurance about the reliability of
financial reporting. Effective internal control over financial reporting is
vital to the proper recording of transactions and the preparation of reliable
financial reports. An effective internal control process is comprehensive and
involves people at all levels throughout a company, including those who keep
accounting records, prepare and disseminate policies, and monitor systems, as
well as people in a variety of operating roles. In addition, the process is
influenced by a company’s board of directors and its audit committee, which has
responsibility for oversight of the financial reporting process. Under Section
404, a company’s management must assess the effectiveness of internal control
over financial reporting as of the company’s fiscal year-end. The independent
auditor will then report on management’s assessment, and on the effectiveness
of the company’s internal control over financial reporting.
Effective internal controls are fundamental to
investor confidence in financial reporting because they help to deter fraud and
to prevent inaccurate financial statements. With more than half of U.S.
households investing in the capital markets, either directly or through
retirement funds, the new requirements of the SOX are expected to have a
significant beneficial impact on investment and the capital markets. One of the
most visible changes that investors have noticed is the new reports by
management and the independent auditor on a company’s internal control over
financial reporting. A primary purpose of this publication is to help investors
and other financial market participants better understand and interpret these
new reports, which will be provided in addition to the independent auditor’s
report on the company’s external financial statements
to Americans (AICPA 2002).
To add more, section 404 of the Sarbanes-Oxley Act institutes a new reporting model
that will require management’s assessment of internal control over financial
reporting and the related auditor’s report on internal control over financial
reporting to be included in a company’s annual report on Form 10-K filed with
the SEC. The SEC strongly encourages registrants to include the internal control reports in annual reports to shareholders
as well, and has indicated that there will be rulemaking in this area.
The new reports that investors will see are
the following:
• Management’s report: Management will state its responsibility for
maintaining adequate internal control over financial reporting and give its
assessment of whether or not internal control over financial reporting is
effective. According to the rules, management cannot state that internal
control over financial reporting is effective if even one material weakness
exists at year-end.
• Auditor’s report. The independent auditor will evaluate and
report on the fairness of management’s assessment. The auditor also will also
perform an independent audit of internal control over financial reporting and
will issue an opinion on whether internal control is operating effectively as
of the assessment date (i.e., the company’s fiscal year-end). If one or more
material weaknesses exist at the company’s fiscal year-end, the auditor cannot
conclude that internal control over financial reporting is effective.
As in the past, the
independent auditor will also issue an opinion on whether the company’s
published financial statements are presented fairly in all material respects in
accordance with generally accepted accounting principles (GAAP). This report
may be combined with the auditor’s report on internal control over financial
reporting, or it may be presented separately.
Management is also required to assess internal control deficiencies. When an internal control deficiency is
identified, management and the independent auditor will evaluate its
significance and determine whether it constitutes a control deficiency, a
significant deficiency, or a material weakness. Deficiencies that are less
serious than a material weakness (i.e., control deficiencies and significant
deficiencies) are required to be disclosed to the audit committee and/or management,
and management and the independent auditor must evaluate less serious
weaknesses to determine whether, when taken together, they result in a material
weakness. All identified material weaknesses that exist at the company’s
fiscal year-end must be disclosed in the public reports issued by management
and the auditor. Although not required by Section 404, some companies may also
choose to disclose significant deficiencies. If one or more material weaknesses
exist at the company’s fiscal year-end, management and the auditor must
conclude that internal control over financial reporting is not effective (Davis, 2006).
The Public Company
Accounting Oversight Board (PCAOB) has defined a material weakness as a
“significant control deficiency, or combination of deficiencies, that results
in more than a remote likelihood that a material misstatement of the annual or
interim financial statements will not be prevented or detected (PCAOB, 2005).” A
material weakness does not mean that a material misstatement has occurred or
will occur, but that it could occur.
Although the law requires that management
disclose material weaknesses, they provide no specific guidance about the
content of those disclosures. However, both the SEC chief accountant and the
PCAOB chairman have stated publicly that they expect management’s report to
disclose the nature of any material weakness, in sufficient detail to enable
investors and other financial statement users to understand the weakness and
evaluate the circumstances underlying it. The PCAOB standard also requires that
the independent auditor’s report provide specific information about the nature
of any material weakness and the actual and potential effect on the company’s
financial statements. Investors and other financial statement users should
evaluate each material weakness to understand the nature, cause, and potential
implications of the weakness.
It is important to
note that a company can report a material weakness in internal control over
financial reporting and still receive an unqualified, or “clean,” financial
statement opinion from the independent auditor. Whether management or the
auditor identifies a material weakness, management continues to be responsible
for the preparation of complete and accurate financial statements. Therefore,
management should take whatever steps are necessary to compensate for the
material weakness in the financial statement preparation process. By expanding
the scope of testing of account balances or altering the audit approach in the
area of weakness, the auditor may be able to conclude that the company’s
financial statements are fairly stated and thus issue an unqualified opinion (PCAOB 2005).
Internal control
reporting provides additional information to the marketplace. The expectation
is that underwriters, analysts, rating agencies, lenders, and other market
participants will consider internal control reporting in their analysis and
evaluation processes for investment purposes.
Timely, has been
interpreted under section 409 of SOX to be two working days or less. This
section also states that each issuer must disclose any information concerning
material changes in the financial condition or operations of the company on a
current basis. As soon as a company declares a material event, they must also
document it before they are allowed to claim that they have adequate process
controls under section 404 (One Hundred Seventh Congress 2002). Most of these material events
normally occur between the date of preparation of financial statements and the
date of their approval by the management. Such events must be reflected in the
financial statements of a firm, in order to comply with the requirement of
section 409. It would help to ensure relevance and reliability of the financial
statement. Also, it would help build investors’ confidence on the “true and
fair view” of its financial position. On the other hand, there are some events
which are significant but non-material. These events need not be reflected in
the financial statement but, has to be included in the footnote of a firm. To
crown it all, the independent auditors has to determine whether an item is
material or non-material based on the effect on investors.
Conclusion
In response to recent corporate
scandals, Congress passed the Sarbanes–Oxley Act of 2002 (SOX) which, among
other things, requires that the management assess the effectiveness of a
company’s system of internal controls. The assumption implicit in this requirement
is that the new internal control opinion provides investors with value-relevant
information (PCAOB 2005). I believe through the creation of SOX as an ongoing management requirement,
companies will learn from their evaluation process and remediate identified
deficiencies, which should result in more reliable financial reporting and
greater investor confidence. Even with these new requirements in place, it is
possible that management fraud or errors will occur and not be detected since
we have inherent risks. This may be due a dominant management team or a
fraudulent collusion by employees. The independent auditor assesses financial
statement of the prior year therefore they are limited by inherent risks. Internal
control over financial reporting is intended to provide a reasonable assurance
about the reliability of the financial reports. This is a high level of
assurance, but it is not absolute. As the PCAOB standard recognizes, no system
of internal control is absolutely safe from human error or from manipulation
and collusion. Even effective internal control over financial reporting cannot
offer absolute assurance that a company is free of fraud or that misstatements
in financial reporting will always be prevented or detected on a timely basis.
Investors and other financial statement users should also understand that the
reports on internal control over financial reporting issued by management and
the independent auditor do not provide any form of assurance on the soundness
of a company’s business strategies or its ability to achieve desired financial
goals. The intended users of the financial reports should also understand that
it is not the auditors’ primary responsibility to prevent and detect fraud but
may act as a deterrent as they have to express an opinion and give a reasonable
assurance that the financial statements as a whole are free from material
misstatements.
Also evidence suggested that an
adverse audit opinion on internal control over financial reporting provides
incremental value-relevant information to investors. This information is not
provided in the financial statements and the audit opinion. Specifically I
found that an adverse audit opinion on internal controls over financial
reporting relative to an unqualified opinion is significantly associated with
investors assessing a higher risk of financial statement misstatement, higher
risk of a future financial statement restatement, higher information asymmetry,
lower financial statement transparency, higher risk premium, higher cost of
capital, lower sustainability of earnings, and lower earnings predictability.
Overall, I support the fact that the auditor’s opinion on the internal controls
over financial reporting provides investors and other financial statement users
with relevant information that will help them make prudent investment and
economic decisions.
References
American Institute of Certified Public Accountants (AICPA).
(2002). The Consideration of Fraud in a Financial Statement Audit.
SAS No. 99 New York, NY AICPA
Bass, S. L., Slavin,
N. S., & Vogel, G. M. (July, 2011). Sarbanes-Oxley's
CEO and CFO Certification Requires Scienter to Protect Investors.
CPA Journal; Vol. 81 (7) 62-66,
Bedard, J.C. and Graham, L.E. (2002). The effects of decision aid orientation on Risk Factor Identification and Audit Test Planning",
Auditing: A Journal of Practice and Theory, pp. 39-56.
Claypool, G., J. Tackett, and Wolf, F.
(2004), Sarbanes-Oxley and Audit Failure: A Critical Examination, Managerial
Auditing Journal: Vol. 19, (3) 348-350.
Davis, J.T. (2006), Experience and auditors' selection of relevant information for
preliminary
control risk assessments, Auditing: A Journal of Practice and Theory, pp. 16-37.
|
|
|
|
Linsmeier, T. and Pearson, N. (1997). Quantitative disclosures
of market risk in the Securities
and Exchange Commission release. Accounting Horizons, Vol. 11. pp. 107-35.
One Hundred Seventh Congress of the United States of America.
(January 2002). Retrieved on November 25, 2011 from Find Law Website: www.news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley
PCAOB (2005), Public
Company Accounting Oversight Board Issues Guidance on Audits of
Internal Control. Retrieved on November 24 from PCAOB Website; www.pcaob.com/News_and_Events/News/2005/05
|
|
Bierstaker, J.L. and Wright, S. (2004), Does the Adoption of
Business Risk Audit Approach Change
Internal Control Documentation and Testing Practices? International Auditing
Journal, Vol. 8, pp. 67-78.
|
|