“Logically, this means that the certification per SOX 302 by the CFO and CEO that is included in the quarterly financial statements was wrong.”
Audit Analytics has released some interesting statistics on financial restatements and SOX.
According to them, in 2015 about 5.3% of companies assessed their internal control over financial reporting (ICFR) as ineffective. This is down from 5.8% in 2014 but otherwise the highest level since 2008.
This is the key section of their report:
One criticism of SOX 404 is that many material weaknesses are not disclosed until after a company has restated its financial statements. The PCAOB found that 80.4% of companies with a restatement in 2014 did not have ineffective ICFR prior to the disclosure of the restatement. This raises doubts about whether SOX 404 has much of an effect.
The last statement is faulty logic.
SOX 404 is about the assessment at the end of the year.
The point here is that organizations had ineffective ICFR earlier in the year, presumably in earlier quarters.
Logically, this means that the certification per SOX 302 by the CFO and CEO that is included in the quarterly financial statements was wrong.
Let’s look at that certification. This is taken from the SEC’s Final Rule, Certification of Disclosure in Companies’ Quarterly and Annual Reports. I have highlighted the most relevant portion.
1. I have reviewed this quarterly report on Form 10-Q of [identify registrant];
2. Based on my knowledge, this quarterly report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this quarterly report;
3. Based on my knowledge, the financial statements, and other financial information included in this quarterly report, fairly present in all material respects the financial condition, results of operations and cash flows of the registrant as of, and for, the periods presented in this quarterly report;
4. The registrant’s other certifying officers and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-14 and 15d-14) for the registrant and we have:
a) designed such disclosure controls and procedures to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this quarterly report is being prepared;
b) evaluated the effectiveness of the registrant’s disclosure controls and procedures as of a date within 90 days prior to the filing date of this quarterly report (the “Evaluation Date”); and
c) presented in this quarterly report our conclusions about the effectiveness of the disclosure controls and procedures based on our evaluation as of the Evaluation Date;
5. The registrant’s other certifying officers and I have disclosed, based on our most recent evaluation, to the registrant’s auditors and the audit committee of registrant’s board of directors (or persons performing the equivalent function):
a) all significant deficiencies in the design or operation of internal controls which could adversely affect the registrant’s ability to record, process, summarize and report financial data and have identified for the registrant’s auditors any material weaknesses in internal controls; and
b) any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant’s internal controls; and
6. The registrant’s other certifying officers and I have indicated in this quarterly report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of our most recent evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.
Disclosure controls include internal control over financial reporting. This is how they are defined by the SEC:
“…controls and other procedures of an issuer that are designed to ensure that information required to be disclosed by the issuer in the reports filed or submitted by it under the Exchange Act is recorded, processed, summarized and reported, within the time periods specified in the Commission’s rules and forms. “Disclosure controls and procedures” include, without limitation, controls and procedures designed to ensure that information required to be disclosed by an issuer in its Exchange Act reports is accumulated and communicated to the issuer’s management, including its principal executive and financial officers, as appropriate to allow timely decisions regarding required disclosure.”
If ICFR is not effective, then disclosure controls are not effective.
The CEO and CFO need to have a reasonable basis for their assessments of disclosure controls and ICFR.
If they know, or should know, that there were potential material weaknesses at the end of any quarter, they should not have signed the 302 certification as if there were none and ICFR and disclosure controls were effective.
This is what I recommend in Management’s Guide to Sarbanes-Oxley Section 404: Maximize Value Within Your Organization:
…prudence suggests that management:
- I suggest that this can be included in the activities of the company’s disclosure committee, which most of the larger companies have established.
- The process should include the assessment of all internal control deficiencies known to management, including those identified not only during management’s assessment process but also by either the external auditors in their Sarbanes-Oxley work or by internal audit in its various audit activities.
- As discussed below, the system of ICFR must provide reasonable assurance with respect to the quarterly financial statements and the annual statements. The quarterly assessment is against a lower—typically one quarter the size—determination of what constitutes material.
- The process and results should be reviewed and discussed with the CEO and CFO to support their Section 302 certifications.Has a reasonably formal, documented process for making the quarterly assessment that is included in the 10-Q and supports the Section 302 certifications.
- Confirms that the external auditors do not disagree with management’s quarterly assessment.
- Understands―which requires an appropriate process to gather the necessary information―whether there have been any major changes in the system of internal control during the quarter. A major change can include improvements and degradations in the system of internal control. While Section 302 only requires the disclosure in the 10-Q of a material weakness and the communication to the audit committee of a material or significant deficiency, the correction of a significant deficiency may be considered a major change and should be disclosed (see item #6 in the certification, above).
I welcome your comments.
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
- How effective are your systems of governance, risk, and control/compliance (GRC)? - October 19, 2021
- Delivering value from IT audit - September 22, 2021
- Selecting software for risk management - August 18, 2021