It’s not just Dodd-Frank that has been roundly disparaged in some quarters, SOX 404(b)—the requirement to have an auditor attestation and report on management’s assessment of internal control over financial reporting—has also recently been much maligned. For example, at a recent House subcommittee hearing devoted to the reasons for the decline in the number of IPOs and public companies, a majority of the subcommittee members attributed the decline largely to regulatory overload, with a number of the witnesses training their sights directly on SOX 404(b). (See the SideBar below.) And then there are the legislative efforts to limit the application of SOX 404(b), such as the provision in the Financial Choice Act to allow certain time-lapsed EGCs another five-year exemption from the audit-attestation requirement. (See this PubCo post.) Whether you view these efforts as heavy-handed or not enough of a good thing, the notion that internal controls might diminish fraud risk remains controversial: some maintain that they are a strong deterrent, while others challenge that contention in light of management’s ability to override controls. A recent study by academics in Texas analyzed whether the strength of internal control significantly affects fraud risk. The result: the study found “a strong association between material weaknesses and future fraud revelation,” leading to the authors’ conclusion that “control opinions that do cite material weaknesses provide a meaningful signal of increased fraud risk.”
Some witnesses at the House subcommittee hearing, entitled “The Cost of Being a Public Company in Light of Sarbanes-Oxley and the Federalization of Corporate Governance,” called for the elimination, either entirely or for all companies outside of the Fortune 500, of the auditor attestation requirement. SOX 404(b), they urged, is time-consuming and expensive for smaller companies, diverting capital from other more important uses such as R&D. In addition, they charged, the definition of “internal control” is too broad, and the scope of “attest” imposed by the PCAOB is too exclusive. The hearing’s lonely voice in favor of the auditor attestation requirement contended that internal controls are the backbone of the financial statements and that some auditors view the attestation as more important than the audit itself. In addition, he maintained, knowing that a third party will examine their work will encourage companies to maintain better internal control. Moreover, even if SOX 404(b) were eliminated, there could very well be no beneficial effect on the number of public offerings, but the risk of financial scandal could dramatically increase. (See this PubCo post.)
The study focused on future fraud disclosures because auditors routinely go back and amend internal control reports to reflect a material weakness whenever a restatement is issued or restatement-related fraud is discovered. Instead, the study focused on “whether disclosed material weaknesses indicate that management is engaging in not-yet-revealed accounting fraud… or will engage in accounting fraud in the future.” While past studies had shown that material weaknesses were related to restatements, most did not distinguish between errors and fraud.
The study looked at a sample of about 14,000 audited internal control opinions between 2005 and 2010, identifying 1,488 that had at least one material weakness. Examining records of settled securities class-action lawsuits that alleged violations of GAAP, as well as SEC and DOJ enforcement actions alleging fraud or other intentional accounting misconduct, the authors found, out of the sample of 14,000, 127 fraud cases that occurred within three years after the filing of the firm’s audited internal control opinion, 36 of which had a prior internal control opinion reporting a material weakness. In 27 instances, the fraud was occurring while internal controls were deemed ineffective. (In light of the timing, the authors concluded that it was unlikely that the auditor knew of the subsequent fraud disclosure beforehand.) The study concluded that the data showed “a statistically and economically significant association” between reports of a material weakness and disclosure of fraud within the three years after reporting the weakness compared to companies without a material weakness.
Why would that be the case? The study looked at three possible theories: that internal control weaknesses provided managers with an opportunity to commit fraud in a specific account due to poor internal control over the specific area in which the fraud was committed; that internal control weaknesses provided a more general opportunity to commit fraud through weaknesses in entity-level controls (controls that have a pervasive effect on a company’s internal control, such as training or competence issues with accounting personnel); and that internal control weaknesses “represent a more systemic cultural characteristic of the firm or its management,” such as a firm culture tolerant of fraud and other misconduct. The authors concluded that the second theory regarding the general opportunity to commit fraud was most convincing. They found only five frauds related to a weakness in a specific account or process, which appeared inconsistent with the first theory. In addition, because the material weaknesses predicted fraud ongoing during the weakness period, but not beginning afterwards, the authors viewed that result as inconsistent with the third theory. Accordingly, the study concluded that “the link between material weaknesses and unrevealed fraud is entirely driven by entity-level material weaknesses.” The authors observed that their conclusion “supports the ‘top-down’ focus on entity-level controls in Auditing Standard No. 5.”