By: George M. Wilson & Carol A. Stacey
Good accounting requires good communication. Many times information that is well-removed from the financial reporting and accounting functions has impacts on the financial statements or other parts of the SEC reporting process, especially MD&A. The Sarbanes Oxley Act built on the internal accounting controls guidance in section 13(b) of the FCPA Act in expanding the evaluation, audit and reporting requirements for internal control over financial reporting, or ICFR, and creating the concept of disclosure controls and procedures, or DCP.
A recent enforcement action brings home, at this important year-end time, the importance of effective disclosure controls throughout the company, with perhaps redundant controls that search beyond traditional financial reporting functions for issues that may impact the financial statements or require disclosure in other parts of a periodic report. It reinforces the idea that responsibility for disclosure is a company-wide obligation, and that companies need to build reliable infrastructures to ensure that investors receive all of the information they are supposed to receive.
ICFR and its related requirements have been part of the reporting process for decades. ICFR is formally defined in Exchange Act Rule 13(a)-15 as:
a process designed by, or under the supervision of, the issuer’s principal executive and principal financial officers, or persons performing similar functions, and effected by the issuer’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:
(1) Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer;
(2) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer; and
(3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer’s assets that could have a material effect on the financial statements.
ICFR is all about the financial statements and that of course includes all of the relevant disclosures in the footnotes to the financial statements.
Here is how SOX expanded this process and formally defined disclosure controls in Exchange Act Rule 13(a)-15:
For purposes of this section, the term disclosure controls and procedures means controls and other procedures of an issuer that are designed to ensure that information required to be disclosed by the issuer in the reports that it files or submits under the Act (15 U.S.C. 78a et seq.) is recorded, processed, summarized and reported, within the time periods specified in the Commission’s rules and forms. Disclosure controls and procedures include, without limitation, controls and procedures designed to ensure that information required to be disclosed by an issuer in the reports that it files or submits under the Act is accumulated and communicated to the issuer’s management, including its principal executive and principal financial officers, or persons performing similar functions, as appropriate to allow timely decisions regarding required disclosure.
What is clear in this definition is that DCP relates to the entire report, not just the financial statements. And, both ICFR and DCP are relevant to the financial statements.
The terms “accumulate and communicate” are particularly relevant for this case. DCP clearly applies to the concept of a known trend in MD&A, which may not be relevant to the financial statements. It also applies to information that may be relevant to accounting for contingencies, even when that information is in an operational area.
In the enforcement case mentioned above the company paid “a $1 million penalty to settle charges that deficient internal accounting controls prevented the company from properly assessing the potential impact on its financial statements of a defective ignition switch found in some vehicles.” Further,
“[t]he SEC’s order finds that the company’s internal investigation involving the defective ignition switch wasn’t brought to the attention of its accountants until November 2013 even though other (company) personnel understood in the spring of 2012 that there was a safety issue at hand. Therefore, during at least an 18-month period, accountants at the (company) did not properly evaluate the likelihood of a recall occurring or the potential losses resulting from a recall of cars with the defective ignition switch.
This case clearly addressed accounting for contingencies and the related GAAP disclosures. In other situations there may not be a contingency disclosure, but there could be a known trend in MD&A. Both are relevant issues as we work through year-end. What this all builds to is that the disclosure process, including both ICFR and DCP, has to reach beyond the information required for financial statement reporting.
It is all about communication! And this might be a good time to communicate this issue to your disclosure committee and all the parts of your organization.
As always, your thoughts and comments are welcome!