In recent months, issues related to internal control systems and reporting have taken on an increased profile and significance. For example, as previously noted by the authors here and here, the SEC has sought to prioritize compliance with internal controls by initiating a growing number of investigations into companies based on allegations of inadequate internal controls.
By way of background, “internal controls” refers to the procedures and practices that companies use to manage risk, conduct business efficiently, and ensure compliance with the law and company policy. Public companies are required to maintain sufficient internal controls by the securities laws. In particular, Section 404 of the Sarbanes-Oxley Act (as amended by the Dodd-Frank Act) requires, among other things, that: (i) company management assess and report on the effectiveness of the company’s internal control over its financial reporting, and (ii) the company’s independent auditors verify management’s disclosures. Sarbanes-Oxley also created the Public Company Accounting Oversight Board (“PCAOB”) to oversee public company audits, including the audits of internal control reporting. The PCAOB, in turn, conducts regular inspections to ensure compliance with laws, rules and professional standards.
Recently, the business community has criticized the PCAOB’s inspection regime as it relates to internal control systems. On May 29, 2015, Tom Quaadman, Vice President of the Center for Capital Markets Competitiveness at the U.S. Chamber of Commerce (the “CCMC”) wrote a letter to the PCAOB and the SEC (which has oversight authority over the PCAOB) detailing the perceived problems with the inspections. While the letter recognized the importance of “[h]igh standards and superior performance systems,” the CCMC conveyed its view that the current inspection regime promotes “excessive compliance activities” for which “the costs clearly exceed the benefits.” According to the CCMC, this “excess” has “erod[ed] judgment” and increased costs and burdens without leading to more effective controls and audits.”
Primarily, the CCMC’s letter took issue with the PCAOB’s documentation requirements, which require auditors to “document the ‘precision’ of every significant judgment, decision, or review procedure performed by the company’s personnel.” According to the CCMC, this requirement is not only “very time consuming,” but the documentation of every judgment or decision is “potentially impossible.” However, the letter explains that if a judgment or decision is not documented, inspectors will conclude that “it did not occur.” Thus, companies are forced to spend “an extensive amount of time attempting to document every judgment and decision made,” which has the unfortunate effect of causing the companies to focus more on documentation than on substance.
Additionally, the CCMC noted that current PCAOB guidance requires the same level of documentation detail, regardless of the risk-level involved. Requiring such uniformity, however, does not account for the fact that an account may be high risk for one company, but low risk for another. The letter uses the example of revenue: “revenue in companies with non-complex, automated revenue processes” can have a comparatively low risk profile. But, since revenue is “viewed as a ‘hot topic’ in PCAOB inspections, auditors are not allowed to apply professional judgment on the extent of procedures performed.” The CCMC further contended that excessive documentation requirements for comparatively low risk accounts not only eliminate an auditor’s professional judgment as to the extent of procedures performed but do not meaningfully contribute to increased compliance. The letter also observed that, in response to PCAOB inspections, companies have developed extensive forms that are completed, even for “minute defects,” which has “increased audit hours for many accounts by more than 100%.” This level of documentation distracts the team from more important things, such as “understand[ing] the business” and “determin[ing] if the disclosures or controls are material/key or a risk area to [the] company.”
The CCMC concluded that the issues with excessive documentation stem from “a lack of dialogue” between the business community and the PCAOB.” Accordingly, the letter requested a meeting between the stakeholders, the PCAOB and the SEC to discuss the issues raised and explore ways to address them.
Over the past year, regulators increasingly have charged companies with violations of law or regulations based on internal control issues leading to financial reporting misstatements, FCPA violations, and anti-money laundering problems. The SEC, FINRA and FinCEN are just some of the agencies that have emphasized internal control failures and enforcement. The CCMC’s letter highlights an, at times, overlooked cost of this regulatory effort, one not involving penalties for compliance failures, but instead ever-larger compliance costs. Finding a responsible, reasonable approach to compliance is becoming increasingly elusive in this environment. Nonetheless, companies and their advisers would be well-advised to, among other things: (i) administer a full assessment of the existing internal controls and reporting systems and determine improvements or enhancements if necessary, (ii) publicize to employees on a regular basis their internal control-related obligations (as well as a method for reporting violations and deficiencies), (iii) institute procedures for handling reports from employees, and (iv) make sure that senior personnel are kept informed and are actively involved in internal control compliance.