SOX 404 Dashboard Year 6 Update
Total Page:16
File Type:pdf, Size:1020Kb
SOX 404 Dashboard Year 6 Update October 2010 Mark Cheffers, CPA, ABV, CEO [email protected] 508.476.7007 x223 Don Whalen, Esq. Research Director [email protected] 508.476.7007 x222 Maggie Thrun, Research Analyst [email protected] 508.476.7007 x236 ® Audit Analytics October 2010 Table of Contents Page A. Summary x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x 1 B. Introduction x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x 2 C. SOX 404 Requirement History: The Staggered and Two-Tiered Implementation of SOX 404 x 2 D. Executive Summary – Year 6 Section SOX 404 Update x x x x x x x x x x x x x x x 3 E. SOX 404 Year 5 Tables x x x x x x x x x x x x x x x x x x x x x x x x x x x 7 F. SOX 404 Year 6 Tables (Partial Year Data)x x x x x x x x x x x x x x x x x x x x 20 G. Definitions for the Internal Control Issuesx x x x x x x x x x x x x x x x x x x x x 33 H. Definitions for the GAAP/Accounting Areas of Failure x x x x x x x x x x x x x x x x 35 I. Definitions for Exemption Reasons x x x x x x x x x x x x x x x x x x x x x x x 37 J. Overview: Audit Analytics x x x x x x x x x x x x x x x x x x x x x x x x x x x 38 AuditAnalytics.com ● 9 Main Street 2F, Sutton, MA 01590 ● (508) 476-7007 ● [email protected] ® Audit Analytics October 2010 SOX 404 Dashboard; Year 6 Update Summary In response to the Enron and Worldcom application. As of the research date of this collapses, Congress passed the Sarbanes- analysis, June 2, 2010, SOX Year 6 was not Oxley Act of 2002 (“SOX”) to better protect complete. Nevertheless, the SEC received a investors. Section 404 of SOX (“SOX 404”) total of 3,356 auditor attestation opinions and requires companies to review their internal 3,066 management-only opinions. As shown in controls over financial reporting (“ICFRs”) and the graph below, the adverse percentage rate declare whether their ICFRs are “effective” or for auditor attestations has decreased every “ineffective.” In other words, they must year since SOX 404 began. The Year 1 rate of determine if their ICFRs are adequate enough to 16.9% dropped to 2.4% for the status of Year 6. produce financial statements that are complete and accurate. At this stage of SOX 404 implementation, large companies must have an auditor attest to the management’s assessment of ICFRs while smaller companies are not required to include the auditor in the process. (These small company filings are referred to as management-only reports.) SOX 404 first applied to United States accelerated filers in their annual reports for fiscal years ending on or after November 15, 2004. By mid July 2007, SOX 404 also applied to all foreign accelerated filers. Non-accelerated filers began filing management-only assessments in annual reports for the fiscal years ending on or after December 15, 2007. The Dodd-Frank Act The percentage of adverse Auditor Attestations has exempted non-accelerated filers from the decreased every year since SOX 404 began. requirements of SOX 404(b), the audit attestation submission. Even if one assumes that overdue filings will come in as adverse disclosures in the near future, SOX 404 Year 6 is expected to end As of June in SOX 404 Year 6, the with an adverse rate of about 2.8%. percentage of adverse Auditor Attestations was the lowest to date. Likewise, a Year 6 analysis of companies Likewise, the percentage of adverse that filed management-only reports found an Management-Only Assessments filed improvement in the adverse percentage rate. So far in Year 6, adverse management-only was the lowest, but this rate was reports were at 27.8% while the prior three about 10 times higher than the rate years experienced the following adverse experienced by companies required percentage rates: 32.3% in Year 5, 32.0% in to file Auditor Attestations. Year 4, and 32.8% in Year 3. The Year 6 rate of 27.8% is the lowest rate to date, but nevertheless the rate is about 10 times Based on the start date of November 15, 2004, higher than the rate experienced by SOX 404 is presently in its sixth year of companies required to file auditor attestations. AuditAnalytics.com - 9 Main Street 2F, Sutton, MA 01590 - (508)476-7007 - [email protected] 1 ® Audit Analytics October 2010 Introduction Both the Enron and Worldcom collapse culminated from a practice of disguising the true operating performance of the companies. In response these meltdowns, Congress passed the Sarbanes-Oxley Act of 2002 (“SOX”). In its title, the declared purpose of SOX is to “protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes.” One section of SOX, Section 404 (“SOX 404”), furthers this goal by instructing the SEC to prescribe rules imposing a duty on officers and management to implement, review, and certify the effectiveness of a company’s internal controls for financial reporting (ICFRs).1 In addition, the registered public accountant is to attest to and report on the management’s assessment. In short, SOX 404(a) requires management to assess a company’s ICFRs while SOX 404(b) requires a registered public accountant to attest to the management’s report. SOX 404 Requirements History: The Staggered and Two-Tiered Implementation of SOX 404. SOX 404, presently in its sixth year of application,2 began to apply to different categories of companies at different times. Moreover, as summarized in the table below, the two subsections of SOX 404, subsection 404(a) and 404(b), did not necessarily come into effect at the same time. United States accelerated filers3 were first required to provide SOX 404 certifications in annual reports for fiscal years ending on or after November 15, 2004. At that time both provisions were required: the management assessment (subsection 404(a)) and the auditor attestation (subsection 404(b)). During SOX 404’s third year of application, its provisions began to apply a new category of public registrant: accelerated foreign filers. For year 3, a large accelerated foreign filer was required to adhere to both provisions in its annual report for the fiscal year ending on or after July 15, 2006. However, an accelerated foreign filer that was not a large accelerated foreign filer was given a gradual two-tier requirement. That category of foreign filer was only required to provide a management opinion for July 15, 2006 and did not need to give an auditor attestation until the following year. In similar fashion, the SEC initially intended to apply a two-step approach to non-accelerated filers. Non-accelerated filers were required to provide a management opinion (but not an auditor attestation) in their annual reports for the fiscal years ending on or after December 15, 2007. Before subsection 404(b) became effective, however, the Dodd-Frank Act exempted the non-accelerated filers from the auditor attestation requirement.4 Therefore, except for asset backed securities and registered investment companies,5 all SEC registrants are required to provide at least a management report and accompanying certification6 in their annual reports unless the annual report is their very first (unless the registrant is a “newly public company”7). 1 In general, Section 404 requires that each annual report contain an “internal control report” that (1) acknowledges the management’s responsibility to maintain adequate internal controls, (2) identifies the “framework” used to evaluate the effectiveness of the internal controls over financial reporting, and (3) provides an assessment of the effectiveness of these internal controls as of the end of the fiscal year. 2 In this analysis, Year 6 (still ongoing) is defined as November 15, 2009 to November 14, 2010, inclusive. This 12-month period is consistent with the initial SEC requirement that United States accelerated filers comply with Section 404 in annual reports for fiscal years ending on or after Nov. 15, 2004. 3 An accelerated filer is a company whose public Float (as opposed to Market Capitalization) exceeds $75 million as of the last day of their second quarter. Once a registrant becomes an accelerated filer, it will not lose this status unless its float drops below $50 million. A large accelerated filer is a company whose public Float exceeds $700 million. See Rule 12b-2 of the Securities Exchange Act of 1934. 4 See Section 989G of the Dodd-Frank Wall Street Reform and Consumer Protection Act. 5 Registered investment companies are expressly exempt from Section 404 by Section 405 of SOX. 6 The SEC provides a form entitled “CERTIFICATIONS” to be attached to the annual report that contains the necessary language for a 404 certification. A separate copy of this form must be signed by both the CEO and CFO without any change in the language and attached as Exhibit 31.