Material Weaknesses in Internal Controls a Decade after Sarbanes-Oxley

IMGCAP(1)][IMGCAP(2)]Effective internal controls reasonably prevent material misstatements in financial reporting and fraud, but poor internal controls have hurt businesses, investors and the public accounting profession.

In response to the large-scale frauds and lack of internal controls at large, public companies such as Enron and WorldCom a decade ago, Congress passed the Sarbanes Oxley Act of 2002 to restore the faith of the investing public. Section 404 of SOX requires management to explicitly acknowledge responsibility for establishing, maintaining and assessing internal control effectiveness. Section 404 also required auditors and management to provide an opinion on the effectiveness of internal controls.

While SOX was passed a decade ago, regulations on effective controls have loosened since the passage of Sarbanes Oxley. The passage of SEC rule 33-9142 in 2010 permanently exempts SOX 404 (b) requirements for public filers that are neither an accelerated filer nor a large accelerated filer. This means companies with a public float of less than $75 million are exempt from a Section 404 (b) audit. A SOX 404(b) audit requires a public accounting auditor to attest to and report on management’s assessment of its internal controls. The April 2012 passage of the JOBS Act further reduces internal control testing.

 

Top 6 Ineffective Internal Control Accounting Rule Violations Reported by Auditors From 2004-2011

Rank

Frequency

Percentage

Description

1

733

10.82 %

Tax Issues / FAS 109 issues

2

676

9.98 %

Revenue Recognition Issues

3

573

8.46 %

Liability & Accrual Estimation Failures

4

554

8.18 %

Current Asset Issues

5

528

7.79 %

Inventory, COGS Issues

6

423

6.24 %

PPE, Intangible Asset Issues

 

 

Top 6 Ineffective Internal Control Accounting Rule Violations Reported by Management From 2004-2011

Rank

Frequency

Percentage

Description

1

4,098

27.04 %

Unidentified GAAP issues

2

492

3.25 %

Current Asset Issues

3

399

2.63 %

Financial

 Statement Issues

4

386

2.55 %

Debt, Security Issues

5

310

2.05 %

Revenue Recognition Issues

6

301

1.99 %

Related Subsidiary Issues

 

Top 6 Non-Effective Internal Controls Identified During Assessment by Auditors From 2004 - 2011

Rank

Frequency

Percentage

Description

1

2,312

25.00 %

Accounting Documentation & Procedure

2

1,459

15.78 %

Material & Auditor YE Adjustments

3

1,255

13.57 %

Accounting Personnel Training Issues

4

938

10.14 %

Restatement of Filings

5

611

6.61 %

Improper Account Reconciliations

6

521

5.63 %

IT Security & Access Issues

 

Top 6 Ineffective Internal Controls Identified During Assessment by Management From 2004 - 2011

Rank

Frequency

Percentage

Description

1

5,653

17.91 %

Accounting Documentation & Procedure

2

4,572

14.49 %

Accounting Personnel Training Issues

3

3,617

11.46 %

Segregation of Duties Issues

4

1,582

5.01 %

Ineffective Audit Committees

5

1,319

4.18 %

Material & Auditor Year-end Adjustments

6

1,020

3.23 %

Inadequate Disclosure Controls

 

Ineffective internal controls and material weaknesses in internal controls over financial reporting in public companies continue to exist a decade after SOX. Our research analyzed the 2004 to 2011 fiscal year trends of internal control deficiencies that led to material weaknesses and ineffective internal controls identified by auditors and management. Material weakness is an internal control deficiency or combination such that there is a reasonable possibility that a material misstatement in a company’s financial statements will not be detected or prevented.

We used the University of Pennsylvania Wharton Database for internal controls data of large and small public companies that were audited by a variety of auditors, including Big 4 auditors, national and regional accounting firms. However our research did not show a difference in the types of internal control deficiencies identified between Big Four and non-Big Four auditors. The research was based on a sample of 79,948 internal control reports from 2004 to 2011 of public companies by management and auditors.

Our research found that the types of internal control deficiencies were consistent year after year from 2004 to 2011. However, there were significant differences between what auditors and management identified as internal control deficiencies. The tables above are the top six accounting rule violations that led to ineffective internal controls identified by auditors and management. The percentage column is the percentage of a particular accounting rule violation identified by auditors or management from the grand total of accounting rule violations from 2004 to 2011.

We also researched the 2004 to 2011 statistics of unique public companies in which auditors expressed an opinion that internal controls were not effective. Over a third of companies which had an ineffective internal controls opinion by auditors later reported ineffective internal controls for a later fiscal year or for multiple fiscal years.

Our research demonstrates the same internal control deficiencies issues and accounting rule violations are consistent year after year from 2004 to 2011. There are differences between what management and auditors identify as internal control deficiencies. Apparently, some major public companies neglect to have effective internal controls or demonstrate a slow pace of internal control improvement when they certainly have the capability to improve their internal controls.
It has been a decade since Sarbanes-Oxley, and there is still room for companies to improve their internal controls. Internal control deficiencies identified in recent cases have led to undetected misappropriation of assets by fraud and bribery. In serious cases of internal control deficiencies, the consequences have led to the SEC revoking the securities registration of public companies such as Syntax-Brillian for fraud. NEC Corporation’s securities registration was revoked by the SEC for lacking internal controls that misstated revenue and net income from 2000 to 2006 and for failing to file for the fiscal years 2006 and 2007. A securities registration revoking by the SEC prevents a public company stock from being traded.

Accounting firms and CPAs also have had their registration revoked by the PCAOB. A PCAOB registration is needed for public accounting firms to issue or participate in audit reports of public companies. The Blackwing Group LLC, and Robert T. Taylor, CPA, had their PCAOB registration revoked for not performing audit procedures and not evaluating internal controls of clients. In the case of Taylor, he did not perform internal control testing for three fiscal years in a row (2006 to 2008) of American Fiber Green Products.

[IMGCAP(3)]

Our research demonstrates the need for strong internal controls, regulation and internal control testing to prevent, detect and correct internal control deficiencies from becoming larger issues such as fraud. Yet, on April 5, 2012, the Jumpstart Our Business Startups Act became law which further reduces internal control testing requirements. The JOBS Act is designed to encourage small business growth by removing securities regulations. The Center for Audit Quality, the American Institute of CPAs and the Council of Institutional Investors have criticized the JOBS Act for weakening SOX audits of internal controls. If the loosening of internal control regulation continues, it increases the chances of future major frauds.

Henry Chao has worked on programming accounting information systems for government entities and Dr. Paul Sheldon Foote is a professor at California State University, Fullerton, who focuses on information technology development in accounting.

 

For reprint and licensing requests for this article, click here.
Audit Regulatory actions and programs
MORE FROM ACCOUNTING TODAY