January 30, 2017
The Often Overlooked Section 404a
Suppose you are the CFO of a small public company, and you're having a conversation with a peer who is the CFO of an accelerated filer. "How are you handling SOX at your company?" your friend asks. "We're not an accelerated filer, so SOX does not apply to us," you respond.
How often do you think some variation of this conversation occurs? Probably every day.
If you believe that your organization is not subject to the requirements of the Sarbanes-Oxley Act of 2002 (commonly referred to as "SOX"), you are mistaken.
While SOX entails various considerations, this conversation pertains to specific reporting requirements. The most commonly discussed aspect of SOX reporting is the requirement for certain filers to have their Internal Controls over Financial Reporting ("ICFR") audited by an independent registered public accountant, in addition to the audit of the financial statements.
This requirement applies to both accelerated filers* and large accelerated filers.** It typically leads to an uptick in time for the company's internal accounting staff, as well as increased fees from the independent auditor. Unfortunately for filers, the investment in both is a necessary by-product of SOX compliance.
The ICFR audit and reporting rules are covered in section 404b of the Act. In addition, all companies are also required to follow section 404a, which prescribes rules requiring every annual report to contain an ICFR certification. The certification shall (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the most recent fiscal year of the registrant, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
In other words, section 404a requires companies to document, walk-through and test their own ICFR and to file a self-assessment of the effectiveness of those controls in their Form 10K annual filing, as well as their Form 10Q quarterly filings. A sample of this annual assessment as filed by a small public company is as follows:
Evaluation of Internal Controls and Procedures
Under the supervision and with the participation of our management, including the Chief Executive Officer and Chief Financial Officer, we have evaluated the effectiveness of our disclosure controls and procedures as required by Exchange Act Rule 13a-15(b) as of the end of the period covered by this report. Based on that evaluation, the Chief Executive Officer and Chief Financial Officer have concluded that these disclosure controls and procedures are effective.
Management's Report on Internal Control over Financial Reporting
Management of the Company is responsible for establishing and maintaining adequate internal control over financial reporting. The Company's internal control over financial reporting is designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles in the United States of America. The Company's internal control over financial reporting includes those policies and procedures that: (i) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the Company; (ii) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles in the United States of America, and that receipts and expenditures of the Company are being made only in accordance with authorizations of management and directors of the Company; and (iii) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the Company’s assets that could have a material effect on the financial statements.
Any system of internal control, no matter how well designed, has inherent limitations, including the possibility that a control can be circumvented or overridden and misstatements due to error or fraud may occur and not be detected in a timely manner. Also, because of changes in conditions, internal control effectiveness may vary over time. Accordingly, even an effective system of internal control will provide only reasonable assurance with respect to financial statement preparation.
Management assessed the effectiveness of the Company's internal control over financial reporting as of December 31, 20XX. In making this assessment, management used the criteria set forth in 2013 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in "Internal Control-Integrated Framework." Based on management’s assessment using the COSO criteria, management has concluded that the Company's internal control over financial reporting was effective as of December 31, 20XX.
This annual report does not include an attestation report of the Company's registered public accounting firm regarding internal control over financial reporting. Management's report was not subject to attestation by the Company's registered public accounting firm pursuant to the rules of the Securities and Exchange Commission that permit the Company to provide only management's report in this Annual Report.
Returning to our starting point, "Small Reporting Companies" that are not required to have their controls audited often mistakenly believe they are exempted from performing the work associated with 404a. Some think that, if no one is auditing their controls, it is unnecessary and costly to spend the time and resources to document and test their ICFR. Meanwhile, companies that do not test their controls have no basis for their assessment of the operating effectiveness of ICFR certified by the CEO and CFO on the Form 10-K. In fact, it is unlawful for companies to issue a clean assessment without having documentation to support their conclusion.
In a recent order and initial decision released by the Securities and Exchange Commission (SEC), dated February 13, 2015, and December 21, 2015, respectively, the SEC charged two former top executives for, among other issues, failing to assess internal controls.
The docket explained that:
"Rule 13a-15(c) requires management of such issuers to evaluate, with the participation of the principal executive and principal financial officers (or persons performing similar functions), the effectiveness of the issuer's ICFR as of the end of each fiscal year."
It further states:
"The registrant 'must maintain evidential matter, including documentation, to provide reasonable support for management's assessment of the effectiveness of the registrant's internal control over financial reporting,' as stated in the instructions to Regulation SK, Item 308, Internal Control over Financial Reporting." The 2007 Guidance similarly states, 'Management is responsible for maintaining evidential matter, including documentation to provide reasonable support for its assessment.'"
"Rule 13a-14, Certification of Disclosure in Annual and Quarterly Reports, requires each Form 10-Q and 10-K to include certifications signed by each principal executive and principal financial officer of the issuer (or persons performing similar functions). Among other things, the certifying officers must confirm that the report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by [the] report."
The former executives were charged with including in Form 10-K and Form 10-Q an assessment of ICFR stating that management had assessed ICFR using the criteria set forth by the Committee of Sponsoring Organizations of the Treadway Commission in Internal Control – Integrated Framework (the COSO Framework, an industry standard for ICFR framework). The SEC found that these statements were false, as the company either did not evaluate ICFR or did not evaluate ICFR using the COSO Framework.
In addition, the company allegedly did not maintain any documentation of management's assessments of ICFR. As discussed above, a registrant "must maintain evidential matter, including documentation, to provide reasonable support for management's assessment of the effectiveness of the registrant's internal control over financial reporting." For these reasons, the former executives' certifications that the company had assessed ICFR using the COSO Framework were deemed false. The initial decision release upheld many of these allegations, and sanctions were ordered, including but not limited to civil penalties.
This is just one of many examples that illustrate the consequences of not properly documenting and maintaining ICFR information to support assessments.
With this in mind, it may be worthwhile to consider brushing up on your 404a documentation. One initial point to start with is to take a look at the framework you are currently using to assess your organization's internal controls. If you have not updated your internal controls in a while, it is likely you are using the 1992 COSO Framework. While this was a longstanding industry standard and the most current when SOX was introduced, COSO issued a new framework in 2013 (commonly referred to as COSO 2013).
The COSO 2013 framework is similar but not identical to the preceding framework. It contains three categories of objectives (Financial Reporting, Operations, and Compliance) and five components of internal controls (Control Environment, Risk Assessments, Control Activity, Information and Communication, and Monitoring Activities). But the 2013 framework introduces 17 codified principles (points of focus), that can be mapped to current controls and cross-referenced to each point of focus. This allows companies to identify gaps and implement controls until all points of focus are covered.
Whether starting from scratch or updating your old ICFR documentation, companies today are strongly urged to adopt the newer COSO framework which is widely recognized as a best practice. Further, in the certifications included in filings, companies are required to state which ICFR framework they are using. If the 1992 framework is still being used, the SEC may view it as a red flag that proper records are not being maintained to support the company's ICFR assessment.
Once a framework is selected, existing controls and functions by position must be updated as well. Companies continuously evolve through the addition and elimination of positions; these fluctuations can necessitate changes to the control structure. Be sure to perform walk-throughs of controls in order to determine accuracy and effectiveness. Once controls are documented, assign an individual or group of individuals to test "key" controls. These controls should be tested throughout the year or cover at least 10 months of activity over the entire 12-month population. Sample sizes vary, but it is safe to say that a minimum of 40-60 selections should be tested to satisfy daily controls; four to eight selections should be tested to satisfy monthly controls. Testing work papers should be maintained and a summary of deficiencies should be prepared. Deficiencies can be remediated if caught early in the process and appropriately retested. Material weaknesses, which are deficiencies or a combination of deficiencies in internal control, such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented or detected and corrected on a timely basis, are required to be reported by management in the company's assessment of ICFR. If minimal deficiencies are found and ICFR is designed properly, management can report that ICFR was effective.
In conclusion, CEOs and CFOs should understand that, by signing the company's certifications of ICFR, they are stating that they have performed, maintained and designed appropriate ICFR documentation to support the certification. Failure to do so will leave senior executives to face the consequences.
* The term "accelerated filer" means an issuer after it first meets the following conditions as of the end of its fiscal year (i) The issuer had an aggregate worldwide market value of the voting and non-voting common equity held by its non-affiliates of $75 million or more, but less than $700 million, as of the last business day of the issuer's most recently completed second fiscal quarter; (ii) The issuer has been subject to the requirements of section 13(a) or 15(d) of the Act (15 U.S.C. 78m or 78o(d)) for a period of at least twelve calendar months; (iii) The issuer has filed at least one annual report pursuant to section 13(a) or 15(d) of the Act; and (iv) The issuer is not eligible to use the requirements for smaller reporting companies in Part 229 of this chapter for its annual and quarterly reports.
** The term "large accelerated filer" means an issuer after it first meets the following conditions as of the end of its fiscal year (i) The issuer had an aggregate worldwide market value of the voting and non-voting common equity held by its non-affiliates of $700 million or more, as of the last business day of the issuer's most recently completed second fiscal quarter; (ii) The issuer has been subject to the requirements of section 13(a) or 15(d) of the Act for a period of at least twelve calendar months; (iii) The issuer has filed at least one annual report pursuant to section 13(a) or 15(d) of the Act; and (iv) The issuer is not eligible to use the requirements for smaller reporting companies in Part 229 of this chapter for its annual and quarterly reports.