By sending a clear message through the enforcement process, the SEC has come full circle in their concerns about whether ICFR audits are finding material weaknesses. The staff has said on numerous occasions that they see too many situations where a company identifies a control deficiency but the company’s analysis fails when assessing whether the control deficiency is in fact a material weakness.
Over the last few years the SEC Staff have emphasized their concerns in numerous speeches and other public settings. As they sometimes do when they don’t see companies listening, they have also emphasized this issue through enforcement.
This enforcement is dramatic, involving:
The company
Two company officers
The audit partner
The ICFR consulting firm partner (a surprise here!)
This excerpt from a December 2015 speech by Deputy Chief Accountant Brian Croteau summarizes the SEC’s concerns:
Still, given the frequency with which certain ICFR issues are identified in our consultations with registrants, I’d be remiss not to remind management and auditors of the importance of properly identifying and describing the nature of a control deficiency and understanding the complete population of transactions that a control is intended to address in advance of assessing the severity of any identified deficiencies. Then, once ready to assess the severity of a deficiency, it’s important to remember that there are two components to the definition of a material weakness – likelihood and magnitude. The evaluation of whether it is reasonably possible that a material misstatement could occur and not be prevented or detected on a timely basis requires careful analysis that contemplates both known errors, if any, as well as potential misstatements for which it is reasonably possible that the misstatements would not be prevented or detected in light of the control deficiency. This latter part of the evaluation, also referred to as analysis of the so called “could factor,” often requires management to evaluate information that is incremental to that which would be necessary, for example, for a materiality assessment of known errors pursuant to SAB 99. The final conclusions on severity of deficiencies frequently rest on this “could factor” portion of the deficiency evaluation; however, too often this part of the evaluation appears to be an afterthought in a company’s analysis. Yet consideration of the “could factor” is very important.
The issue is clear; too often companies are finding a control deficiency but not appropriately evaluating the severity of the issue to determine if it is a material weakness.
In a “classic” example this SEC enforcement involves a company that performed its annual ICFR evaluation and stated in its form 10-K that ICFR was effective at year-end. Then, shortly after that report in their Form 10-K, the company restated its financial statements and disclosed the existence of a material weakness. It is very unlikely that the material weakness arose between the year-end of the Form 10-K and the date of the restatement.
You can read about the enforcement in this press release, which also has links to the SEC Enforcement Orders for the company and the individuals involved:
www.sec.gov/news/pressrelease/2016-48.html
The fact that the company and auditor were named is not surprising. What is surprising is that the firm the company retained to provide SOX 404 services, which included assisting “management with the documentation, testing, and evaluation of the company’s ICFR” and no external report, was included in the enforcement.
This is a loud and clear message to all participants in the process! Be thorough and complete in your evaluation of control deficiencies!
If you would like to delve a bit deeper into this issue one of our follow-up posts to this year’s Form 10-K Tune-Up One Hour Briefing focused on ICFR issues, including the issue raised in this enforcement case.
You can read our post at:
seciblog.pli.edu/?p=530
As always, your thoughts and comments are welcome and appreciated!