It’s getting much harder for public companies to keep skeletons in their closets. As they ready internal controls for the harsh light of Section 404-compliance testing, the pressure to disclose problems uncovered in the process has become palpable.
In the first six months of the year, more than 100 companies raised red flags about the current state of their internal controls in their Securities and Exchange Commission filings, largely at the behest of their auditors, according to a CFO magazine analysis of a database compiled by Compliance Week newsletter. While there is no comparable data for previous years, the month-over-month growth — from 10 in January to 32 in June and 30 in July — has convinced many experts that such public confessions are on the rise.
“Even though Section 404 certifications won’t start to be due until later this year, you’re seeing a lot of companies trying to get ahead of the curve,” says Stephen Poss, senior partner and chair of the securities litigation, SEC enforcement, and corporate-governance practice area at law firm Goodwin Procter LLP. He expects those numbers to increase until the completion of the first round of Section 404 testing, “as more companies get word from their auditors that they may have problems.”
“Problems” can mean poor procedures or IT weaknesses, but in many cases they are more basic: unqualified or inadequate finance staffs. “A company needs to have a certain amount of [in-house] knowledge to determine the appropriate accounting issues, now that it cannot rely so heavily on its auditor,” says Richard Steinberg, who led Pricewaterhouse-Coopers’s governance practice before starting his eponymous consulting firm. The deficiencies that BDO Seidman noted at $14.5 million Advanced Materials Group Inc., which included operating without a full-time CFO and a lack of staff expertise, were typical of what one-third of companies making disclosures heard. And while smaller companies are most susceptible to such criticisms, large companies are not immune. PwC told international insurance giant AXA that the company had “insufficient personnel in the corporate accounting department with sufficient knowledge…of U.S. GAAP,” the company reported in June.
With the threat of Section 404 failures looming, many firms are scrambling to fix their problems by hiring additional personnel and reorganizing. Thanks to quarterly Section 302 certification requirements, though, many are finding that agreeing to remedy weaknesses also entails reporting them. That means even the companies that end up passing Section 404 may be exposed to unwelcome investor scrutiny. The big question, says Wayne Avellanet, director of internal control at SST Truck Co., is: “Will I suffer the consequences of having a material weakness because I have a problem I can’t fix fast enough?”
What Is Reportable?
Companies have long been required to disclose control weaknesses, but before Sarbanes-Oxley, they were rarely held accountable for knowing about them. The annual testing that Section 404 demands now leaves executives with little opportunity to plead ignorance. “With all the documentation and monitoring required, companies are much more likely to detect problems now,” says Steve Wagner, a partner with Deloitte & Touche LLP and co-chair of its Sarbanes-Oxley steering committee. Although the controls covered by 302 are not exactly congruent to those described by 404, there is enough overlap so that “CFOs should be vigilant about any disconnects,” says Poss.