Internal Controls: The Battlefront in the War on Fraud
Since being named Securities and Exchange Commission (SEC) Chair, Mary Jo White has repeatedly promised to increase the agency’s efforts to combat financial reporting fraud. Over the last year, her enforcement staff has made companies’ internal controls the main battlefront.
Linking misconduct to internal control deficiencies
The SEC sees internal control deficiencies as a widespread problem. In fact, internal control breakdowns are a common denominator in most financial reporting fraud cases. By focusing on internal controls in its enforcement actions, the SEC hopes to encourage senior managers to properly supervise business units that may be more susceptible to fraud.
Greater attention to internal controls is likely to lead to fewer accounting errors and misstatements. Financial restatements have declined in the past few years, but accounting revisions are on the rise, according to Stephen Cohen, associate director of the SEC’s Division of Enforcement.
For example, one financial reporting problem spot is the complex cash flow reporting requirements of Statement of Financial Accounting Standards (SFAS) No. 95, Statement of Cash Flows (the Financial Accounting Standards Board’s Accounting Standards Codification Topic 230). This standard gives a company significant room for judgment, causing some companies to misapply it.
Internal controls often break down when reporting cash flows, because they’re typically prepared late in a company’s financial reporting cycle — and management may not give this aspect of financial reporting the level of attention it needs. So, SEC staffers have told public companies to pay more attention to their cash flow reporting to avoid the misstatements.
The SEC’s handling of cash flow reporting misstatements is similar to its approach when a company is found to have any unresolved accounting matter. SEC staff work through the accounting issue with the company. Typically, this involves examining the company’s internal controls to get at the problem’s source. The agency is also giving more attention to misstatements of minor issues as a means toward preventing misstatements of more significant financial matters.
Holding gatekeepers accountable
In addition to combating financial fraud and enhancing issuer disclosure, the SEC is increasingly holding gatekeepers — including managers, attorneys and accountants — accountable for misconduct. Increased gatekeeper accountability means that managers who engage in misconduct are being forced to publicly admit wrongdoing, especially in cases of egregious misconduct or where large numbers of investors were harmed. Admission combined with fines and prison sentences sends a powerful message to the markets.
Likewise, the SEC is putting public company auditors under added pressure to evaluate their audit clients’ internal controls. This pressure came in at roughly the same time as the December 15, 2014, compliance deadline for implementing the updated Internal Control — Integrated Framework that was issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Updating the framework
COSO updated its original framework in 2013, because business and operating environments have changed dramatically over the last 20 years. The updated COSO framework retains the core definition of internal controls and the five components required under the Sarbanes-Oxley Act’s Section 404 provisions:
- Control environment. A set of standards, processes and structures is needed to provide the basis for carrying out internal controls across the organization.
- Risk assessment. This dynamic, iterative process identifies stumbling blocks to the achievement of the company’s objectives and forms the basis for determining how risks will be managed.
- Control activities. Policies and procedures are necessary to help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out.
- Information and communication. Relevant and quality information supports the internal control process. Management needs to continuously obtain and share this information with people inside and outside of the company.
- Monitoring. Management should routinely evaluate whether each of the five components of internal controls is present and functioning.
A significant enhancement in the updated framework is the formalization of fundamental concepts that were introduced in the original framework. The updates also reflect changes in the business environment over the past several decades, including:
- Expectations for governance oversight,
- Globalization of markets and operations,
- Changes and greater complexities of business,
- Demands and complexities in laws, rules, regulations and standards,
- Expectations for competencies and accountabilities,
- Use of, and reliance on, evolving technologies, and
- Expectations relating to preventing and detecting fraud.
During the coming audit season, auditors will be evaluating whether their clients are in compliance with the updated internal control framework. Public companies that didn’t meet the December 15 deadline ran the risk of getting a comment letter from the SEC if they didn’t have effective control over financial reporting under Section 404 of the Sarbanes-Oxley Act.
But the updated COSO framework applies to all entities: large, midsize and small, whether for-profit, not-for-profit or government body. So, private companies can also expect outside stakeholders, such as financial advisors, investors and lenders, to pay increasing attention to internal controls in the coming months.
SEC enforcement staff celebrates a record year
The Securities and Exchange Commission’s (SEC’s) ramped-up antifraud efforts seem to have paid off. A SEC press release reported that new investigative approaches and the innovative use of data and analytical tools led to a record 755 enforcement actions in 2014, covering a wide range of misconduct.
Preliminary numbers released at the end of the SEC’s 2014 fiscal year on September 30 indicated that the agency obtained orders totaling roughly $4.2 billion in disgorgement and penalties. By comparison, in fiscal year 2013, the SEC filed 686 enforcement actions and obtained orders totaling $3.4 billion. The SEC warns public companies to expect more scrutiny in 2015.
Following the SEC’s lead
Regardless of the company’s size, strong internal controls give external stakeholders greater confidence in the company’s ability to identify, analyze, and respond to risk and changes in the business and operating environments. Your financial advisors can help your company evaluate its internal controls and reinforce any weaknesses before audit season begins.
Copyright © 2014 Thomson Reuters / BizActions.