REVISITING SARBANES-OXLEY – WHY COMPANIES MUST CONSTANTLY REVIEW THEIR INTERNAL CONTROLS Noah Gottesman The views and opinions expressed in this paper are those of the author and do not necessarily reflect the official policy or position of Thomson Reuters. Senior executives have an attitude problem when it comes to the concept of internal control over financial reporting – the system that allows a company to maintain accurate financial information, both for external auditors and to meet its own management goals. They assume that internal control requires very little thought. They hold the illusion that as long as they do what the regulator says, and throw enough money at the issue, they can forget about the whole thing from one year to the next. For this reason, senior executives at many companies had largely forgotten about internal control since the Sarbanes-Oxley Act (Sox), which revolutionized the concept, was enacted by the US Congress in 2002. However, many have turned their attention to it again since May 2013, when the Committee of the Sponsoring Organizations of the Treadway Commission (Coso), an association of accounting trade bodies, published a document named Internal Control – Integrated Framework, an updated version of a 1992 document. This document, commonly known as Coso 2013, set out a framework for internal controls, covering both financial reporting and other areas, including controls over operational and strategic functions. In concentrating on this, however, they are making the same error as before. They are assuming that they can order their staff to implement Coso 2013, and then forget about internal control for another decade, until the next major initiative comes. In reality, however, this is not enough. Coso 2013 sets out principles. When responding to these principles, executives need to ask some key questions about their internal controls, including: • Are we applying our internal controls rigorously enough? • Are we applying them broadly enough? 2 REVISITING SARBANES-OXLEY • What changes, either within the company or in the outside world, should force us to revise our internal control procedures? • Is it time to change it all around? When it is done well, internal control minimizes the risk of earnings surprises, poor corporate decisions and reputational damage. It creates a less accident-prone, more competent and more confident organization. WHAT INTERNAL CONTROL REALLY MEANS Back in 1992, Coso suggested that internal control comprised five components. These sum up the essence of what Coso said: • The control environment – the set of standards, processes and structures that provide the framework for carrying out internal control across the organization. This includes the organizational structures, the ethical values of the company and expectations of rigor in performance measures. • Risk assessment – identifying and assessing risks that could impact the achievement of objectives. • Control activities – actions to ensure that management efforts to mitigate risk are carried out. This includes authorizations, verifications and business performance reviews. • Information and communication – the generation of information and its dissemination both within and outside of the company. • Monitoring activities – checks to see if internal control is working. This definition of internal control initially took some time to be accepted, but eventually became widely adopted by companies in the aftermath of Sox. It largely makes sense, though some experts have warned that Coso 2013’s interpretation of the principles concentrates too much on internal threats to a company rather than external threats, such as a change in the competitive environment. MAY 2015 WHAT SOX SAYS The early 2000s saw a series of US corporate scandals, many of them involving accounting fraud. In 2001 it was revealed that Enron, the energy company, had hidden billions of dollars of losses. In 2002 it was discovered that WorldCom, the telecoms company, had overstated cashflows. The slew of scandals cost investors billions of dollars following the collapse of share prices. This shook public faith in the probity of the US corporate world – and this loss of faith threatened the future of the US economy, which relies on the investment of capital by the public. Washington’s response was the ambitious Sarbanes-Oxley Act, which set new or enhanced standards for all public company Boards, management and public accounting firms. The full name of the Act sums up its purpose succinctly: “An Act to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes.” It is based on the idea that the more accurate a company’s financial reporting, the fewer nasty surprises there are for investors, and the greater the public confidence in the capital markets that are essential to the efficiency of the US economy. The Act was wide-ranging. For example, it outlined the responsibilities of the Board of Directors, tightened up conflict of interest rules, and set criminal penalties for executive misconduct. It ramped up the regulatory regime for US accounting and internal control, since it was apparent that Coso’s pre-existing Integrated (Internal) Control Framework, written in 1992 to reduce fraudulent financial reporting, had not been sufficient. The key part of Sox that relates to directors’ responsibilities for internal controls is Section 404, which looks specifically at financial rather than 3 REVISITING SARBANES-OXLEY The US was not alone in tightening up corporate internal controls in the early 2000s. Many other countries also did so, often in response to their own accounting scandals. Japan passed the Financial Instruments and Exchange Law (usually known as J-Sox) in 2006. Ireland passed the Irish Company Law Enforcement Act in 2001 and the Companies (Auditing and Accounting) Act in 2003. non-financial controls. It requires (with certain exceptions) all public companies to assess the effectiveness of internal control and report the results on an annual basis. The Securities and Exchange Commission (SEC) says that internal control over financial reporting should include procedures that: • Provide reasonable assurance that transactions are recorded well enough to permit the preparation of financial statements in accordance with Generally Accepted Accounting Principles (GAAP). • Ensure the maintenance of records that accurately reflect the transactions and dispositions of the assets of the company. • Provide reasonable assurance regarding the prevention or timely detection of un-authorized acquisition or use of the company’s assets that could have a material effect on the financial statements. Despite these clear rules and guidelines from legislators, regulators and other authorities, there are many signs that the quality of both the internal controls and the corporate accounts that are underpinned by them is often unsatisfactory: • Accounting misses – in 2015 the International Forum of Independent Audit Regulators released a report showing continuing “high levels of deficiencies” in the audits of public companies by auditing firms around the world. Many of MAY 2015 these companies were in the US. For 24% of companies where the audits were judged unsatisfactory, there were deficiencies in internal control testing – more than for any other area. The Public Company Accounting Oversight Board has regularly found fault with the audits of public companies by both large and small accounting firms – with deficiencies in internal control a particularly common weakness. • Hotlines – the sense that something is wrong in companies’ internal control procedures is heightened by the statistics for whistleblowing. The SEC’s whistleblower program received 3,620 tips in 2014. Not only is this number high – it is also a 20% increase on 2012. The fact that thousands of people felt more confident about solving a breach of rules through calling on outside help, rather than through relying on internal procedures, testifies to a lack of employee faith in internal control. • Corporate scandals – the lack of adequate internal control is reflected in the huge number of US corporate scandals since Sox was enacted. Revealing examples include: — The JPMorgan “whale trade” of 2012 – a $6.2 billion loss in derivatives dealing. George Canellos, co-director of the SEC’s division of enforcement, concluded that the bank “failed to keep watch over its traders as they overvalued a very complex portfolio to hide massive losses”. The SEC found fault with the bank’s internal controls for failing to ensure that the traders were properly valuing the portfolio, and with its senior management for failing to inform the firm’s audit committee about severe breakdowns in the chief investment office’s internal controls. In particular, during a series of internal reviews, senior management learned that the valuation control group within the chief investment office, whose function was to 4 REVISITING SARBANES-OXLEY detect and prevent trader mismarking, was ineffective and insufficiently independent from the traders it was supposed to police. JPMorgan agreed to pay four regulators $920m, after admitting violating US federal securities laws. — Numerous examples where US companies have been fined for breaches of the Foreign Corrupt Practices Act (FCPA), which outlaws bribery. For example, in December 2014 the SEC charged global beauty products company Avon Products Inc. with violating the FCPA by failing to put controls in place to detect and prevent payments and gifts to Chinese government officials from employees and consultants at its Chinese subsidiary. Avon entities agreed to pay $135 million to settle the SEC’s charges and a parallel case brought by the US authorities. According to the SEC’s complaint, Avon management learned about potential FCPA problems at the subsidiary through an internal audit report in late 2005. Avon management consulted an outside law firm, directed that reforms be instituted at the subsidiary, and sent an internal audit team to follow up. Ultimately, however, no such reforms were made at the Chinese subsidiary. Avon finally began a full-blown internal investigation in 2008 after its CEO received a letter from a whistleblower. — Numerous examples of accounting miscalculations. For example, in March 2015 Genworth Financial Inc., a life and mortgage insurer, said that it had identified “material weakness” in its control over financial reporting. Because of this it had failed to spot a $44 million error in its after-tax earnings. Genworth said that it failed to implement changes to one of its methodologies correctly as part of its long-term care insurance claim reserves review. MAY 2015 Many other countries have also experienced their own extremely high-profile accounting scandals. In 2004 the auditors of Parmalat, the Italian dairy and food company, found €14.3 billion in hidden debts. In 2014 Tesco, the UK’s biggest food retailer, said that it had mis-stated its half-year profit guidance by £263m. Finally, there is a strong case for suggesting that the credit crunch of 2008 was largely caused by poor internal controls – including a failure to value mortgage assets correctly, and to monitor and limit counterparty exposure to individual financial companies at risk of falling into trouble. WHY COSO 2013 ISN’T THE ANSWER The Coso 2013 framework was drafted in response to a continued stream of corporate mishaps, missteps and scandals. Internal control and auditing experts felt that not enough had changed in the wake of Sox. Coso 2013 is a private-sector initiative, jointly sponsored and funded by five organizations: • The American Accounting Association • The American Institute of Certified Public Accountants • Financial Executives International • The Institute of Management Accountants • The Institute of Internal Auditors It is not obligatory to follow Coso 2013. However, the SEC requires companies that are subject to Sox to follow an internal control framework such as Coso 2013, and this looks set to be the most popular. Much of the discussion has centered on the creation of 17 principles, which aim to improve internal control. Each of these principles has a number of “Points of Focus”. For example, Principle 1 is: “The organization demonstrates a commitment to integrity and 5 REVISITING SARBANES-OXLEY ethical values.” One of its Points of Focus is: “Processes are in place to evaluate the performance of individuals and teams against the entity’s expected standards of conduct.” This example illustrates that Coso 2013 has many virtues, but its precepts are necessarily generalized and high-level because the document seeks to cover the full range of companies operating in the US today. It lays the tracks on the journey to good internal controls, but it does not take executives all the way. If executives are serious about improving their internal control, they have to regard each principle as a mere starting point. To take the quoted Point of Focus as an example, each business must do a lot of work on its own in deciding what processes should evaluate people against expected codes of conduct – and further in ensuring that these processes are put into practice. In other words, Coso 2013 is not sufficient without a genuine desire by senior executives to improve their internal controls. HOW TO MAKE INTERNAL CONTROL BETTER In order to make the most of Coso 2013, executives should step back and consider — in the broadest possible way — whether they are applying internal controls well enough. They should ask themselves the four key questions posed earlier: • Are we applying our internal controls rigorously enough? The PCAOB Auditors Staff Audit Practice Alert 11, Considerations for Audits of Internal Control over Financial Reporting, published in 2013, found frequent weaknesses in a number of areas. These included risk assessment and the audit of internal control, the selection of controls to test, and information technology. What was most troubling was that it found that firms failed to test controls for all relevant assertions of the significant accounts and disclosures. In other words, it was hard to be confident that all of the figures provided to external auditors were accurate. MAY 2015 • Are we applying them broadly enough? Many companies focus narrowly on financial controls. However, internal control is a broader concept. It is also about controlling systems that might, if deficient, pose a risk to the financial results. For example, in its 2003 report on Internal Control over Financial Reporting, the SEC refers to the need to prevent un-authorized acquisition or use of the company’s assets that could have a material effect on the financial statements. This includes the control of passwords and other aspects of cyber security. For example, in December 2013 hackers were able to slip their software into the computer systems of Target, the retailer, by stealing the credentials of a refrigeration contractor. Once inside, the software migrated to the company’s checkout stations and began skimming card data – with the information on 40 million credit and debit cards at risk of being stolen. As well as prompting the resignations of the company’s CEO and CIO, the breach forced the company to book a $148 million charge. • What changes, either within the company or in the outside world, should force us to revise our internal control procedures? Since Sox was enacted in 2003, an enormous amount has changed in the business world, as well as in society in general. This should have generated significant change in the way that internal control is undertaken – but in many cases it hasn’t. Examples of changes include: — The creation, within business groups, of many more overseas companies and legal entities designed to minimize tax liabilities. This needs to be documented by internal control. — The increasing sophistication of cyber criminality – as shown by the case of Target and many other companies. In well-run companies, this has provoked 6 REVISITING SARBANES-OXLEY much stronger security controls, including a greater frequency in the change of passwords, and the use of passwords that contain a combination of letters, numbers and punctuation, since these are harder to hack. However, standards of security control, such as requirements for sufficiently strong passwords, are often left to the discretion of individual staff. — Changes in notions of ethical corporate behavior, including the use of finite resources, and of resources that may contribute to climate change. Given these issues, codes of conduct need to be updated annually. • Is it time to change it all around? Change for the sake of change sounds counter-intuitive. But it is often extremely effective when it comes to procedures that can become routine and stale. At this point, staff go through the motions of control, without thinking about what might be most effective. Let’s take a hypothetical example of the need for change for the sake of change. Every year, access to the inventory system of a manufacturer’s factory is tested by checking the HR list of who has access against the names of people who are still at the plant – to work out who should be crossed off or inserted onto the list. One year, an external auditor decides to look at it in a different way. He takes the list of transactions on the inventory and compares it to the HR list. Major discrepancies are found. MONEY ISN’T THE ANSWER Senior executives will be relieved to hear that the problem is not really to do with money. They do not need to increase costs if the systems to improve internal control are intelligently designed. They may, however, be dismayed to MAY 2015 hear that the problem does require them to spend more time on internal control. Their personal responsibility for internal control is set out in Section 302 of Sox. It notes that “the principal executive officer or officers and the principal financial officer or officers” are responsible for “establishing and maintaining internal controls”. They must also evaluate the effectiveness of internal controls within the 90 days prior to any annual or quarterly earnings report. Naturally, senior executives cannot perform the work of internal control on their own. They need to maximize the effectiveness of the people who are helping them. This includes: • Training staff. Staff need annual training, at the very least, in risk assessment and methods of internal control. This training should be broad and up-to-date, including the latest thinking on ethics, cyber security and so on. • Rotating external auditors. This is rarely done at large public companies – and US government proposals to mandate this have recently become bogged down. However, it is essential, because it provokes fresh thinking about internal control. Remember the example of the manufacturer’s inventory system. • Aligning the pay of staff more closely with the aims of internal control. This should start at the top: CEOs should not receive a bonus if there is a serious failure of internal control at the company, such as an ethics violation, major cyber security breach, or accounting error caused by the poor quality of information submitted by the company to the external auditors. What sort of questions should CEOs be asking to ensure that internal control is effective? A good technique is to follow the principles used by auditors themselves: proactively look at a few random items to see if they meet internal control principles. It is also a good idea to talk to junior as well as senior control staff, to get a picture of 7 REVISITING SARBANES-OXLEY how well internal control is working throughout the firm. A good general principle is to do the unexpected sometimes, rather than giving senior members of internal control an easy time by allowing them to second-guess you. BENEFITS This paper has concentrated largely on the problems caused by poor internal control. However, we should also emphasize the benefits of good internal control, while drawing attention to the perils of bad management of this function. The benefits include: • Smoother earnings. Many of the profit warnings issued by listed US companies arise from a poor internal control environment. In July 2012 JPMorgan was forced to restate its quarterly earnings because of the whale trade – reducing its net income by $459 million. It also admitted a “material weakness” in internal controls. Companies with good internal controls tend to stay out of the headlines because they report more consistent profits and fewer earnings surprises. Qualcomm, the semiconductor and telecoms equipment manufacturer, provides a textbook example. In a quarterly earnings release published in January 2015, it revealed that a large customer was not expected to use its processor. By revealing this early, before earnings had actually been hit, it showed a strong grasp of internal control, including both good risk assessment and effective information and communication. Investors were reassured. • Better corporate decisions. In 2013 Hewlett Packard acquired Autonomy, the UK software company, for $11.1bn. A year later HP said that Autonomy was worth $8.8bn less than this. The deal, sometimes described as one of the worst in corporate history, was botched because HP’s internal control procedures were found to be wanting. Before acquiring the company, HP failed to conduct basic financial analysis and due diligence. MAY 2015 • Well-managed reputational risk. Companies that suffer a serious failure of internal control are often tarnished for many years. This reduces their ability to attract new clients. Customers demand a high standard of ethics and competence, and the secure holding of private information about them. If they do not get this, they will find other companies that can provide it. SUMMARY Good internal control over financial reporting is key to the success of corporations, but senior executives often neglect it. 8 REVISITING SARBANES-OXLEY When internal control is poorly executed it causes reputational damage, volatility of earnings and poor corporate decisions, such as ill thought-out takeovers. When it is done well, internal control minimizes the risk of earnings surprises, poor corporate decisions and reputational damage. Internal control does not need millions of extra dollars thrown at it, but in many cases it needs clearer thinking and more management time. Relying on the Coso 2013 framework is not enough – it is just a starting point, though in many ways a good one. US corporations have the money, the capacity and the talent to raise their internal controls to a level of excellence. MAY 2015 ABOUT THE AUTHOR Noah Gottesman is a Certified Internal Auditor with over fifteen years of compliance, internal audit, internal control and risk management experience. At Thomson Reuters Accelus, Noah serves as the Audit Advisory and Innovation Director within Professional Services, assisting clients with Accelus implementations. Prior to joining Thomson Reuters, Noah spent thirteen years with a big-four accounting firm, gaining global experience across a wide range of industries, including banking and financial services, technology and insurance. 9 REVISITING SARBANES-OXLEY MAY 2015 THOMSON REUTERS RISK MANAGEMENT SOLUTIONS Risk Management Solutions bring together trusted regulatory, customer and pricing data, intuitive software and expert insight and services – an unrivaled combination in the industry that empowers professionals and enterprises to confidently anticipate and act on risks – and make smarter decisions that accelerate business performance. For more information, visit accelus.thomsonreuters.com © 2015 Thomson Reuters GRC02739/5-15