Last month, we released a report looking at long-term trends in Internal Control over Financial Reporting (ICFR) SOX 404 disclosures. In this blog, we supplement that analysis with a look at the management-only assessments required by Section 302 of the Sarbanes-Oxley Act (SOX 302), for the population of Russell 3000 companies.
SOX 302 requires the management of a company to assess the effectiveness of the company’s Disclosure Controls and Procedures. Although similar to Internal Control over Financial Reporting, disclosure controls differ in some key ways. First, the SOX 302 assessments are the responsibility solely of management; auditors do not opine on the effectiveness of SOX 302 disclosure controls. Second, these assessments are made quarterly, as opposed to the SOX 404 assessments which are performed annually.
Since these reports are unaudited, they are sometimes perceived to be less reliable than SOX 404 opinions. To be fair, there is no doubt that SOX 404 assessments get much more attention generally. Nevertheless, SOX 302 assessments offer some unique advantages to stakeholders. In particular, the fact that they are quarterly means that they sometimes provide timelier insight into a company’s control environment. Further, SOX 302 covers a broader range than the relatively narrow SOX 404 requirements. SOX 404 covers only Internal Controls over Financial Reporting – the processes and controls that go into reporting a company’s financials. While there’s no doubt that these are very important processes, and perhaps command the bulk of a stakeholder’s attention, there are a number of other required disclosures that companies are required to make that are of definite interest.
Disclosure Controls and Procedures cover the processes and controls that go into making any and all required public disclosures. For instance, companies have to disclose changes in directors and officers, or if they change their auditor, within a certain number of days. These are no small matters to stakeholders. SOX 302 controls ensure that those disclosures are made timely and appropriately. Further, as the SEC has stated, disclosure controls actually encompass Internal Control over Financial Reporting, since financial reporting is a subset of the public disclosures a company is required to make.1
Beyond that, SOX 302 also requires the signing officers to personally certify that they (1) are responsible for establishing and maintaining disclosure controls and procedures, (2) have designed, or supervised the design of, disclosure controls and procedures to ensure that all material information is made known and (3) identify any changes in internal controls that occurred during the given period.
On the face of it, we would expect SOX 302 macro-level trends to closely follow SOX 404 opinions.
As we can see from the chart above, the overarching trend for SOX 302 disclosures does indeed track with others trends that we have discussed recently, namely SOX 404 and NT late filings. In particular, we see a steep decline until around 2010, and then the number increases steadily. In 2010, there were only 104 companies that filed an ineffective DC. But the number of companies with ineffective 302 assessments has increased to 261 companies in 2015 – a surprising increase of over 150%. That pattern matches what we have seen with those other disclosures.
So, do SOX 302 disclosures provide us with any new information? Let’s step back from this macro-level analysis and turn to a couple specific scenarios where SOX 302 reports may provide useful information.
In a 2015-12-09 filing, Autodesk (ADSK) disclosed a material weakness related to the reconciliation of deferred tax account and effective tax rate. The same material weakness was reiterated in the annual SOX 404 report filed on 2016-03-23 and remained unremediated as of 2016-08-30. In 2015 alone, we were able to identify at least 50 companies that disclosed material weaknesses in their quarterly SOX 302 assessments prior to disclosing an adverse 404 report.
In other cases, ineffective controls disclosure may not make it to a SOX 404 report at all. For example, Emerging Growth Companies are exempt from the requirements of SOX 404, so SOX 302 may provide valuable insight into the strength of the controls of these companies. Let’s take a look at the Controls and Procedures section of FMSA Holdings’ fiscal 2014 financial statements.
Prior to our initial public offering, or IPO, we were a private company and were not required to test our internal controls on a systematic basis. Subsequent to our IPO, we ceased to be an emerging growth company on December 31, 2014, and therefore, we are required to conduct an assessment of, as well as have an audit of, the effectiveness of our internal control over financial reporting, beginning with our annual report for the fiscal year ending December 31, 2015.
A material weakness in internal control over financial reporting was identified as we did not design or maintain effective controls over the recording and review of journal entries for validity, accuracy, and completeness. Specifically, certain key accounting personnel had the ability to prepare and post journal entries without an appropriately designed independent review.
The material weakness was remediated in the quarter ended September 30, 2015 and the auditors rightfully issued a clean SOX 404 report for the period ending December 31, 2015.
Other interesting cases include material weaknesses in the controls of acquired companies that are excluded from the evaluation of Internal Controls in the year of the acquisition and therefore do not affect overall Internal Controls conclusion; and identification of significant deficiencies that do not raise to the level of material weakness (and therefore are not required to be disclosed pursuant to SOX 404).
There’s lots more to be said about SOX 302. Of particular interest, we think, are questions such as the following: how often do companies report significant deficiencies in their disclosure controls, but no material weaknesses in their internal controls? How often are material weaknesses disclosed in the SOX 302 assessment during an interim period, but remediated before the fiscal year end? Do disclosure control weaknesses typically tend to follow internal control weaknesses, especially at ICFR-audited companies, which would suggest that management assessments might not be as robust as they ought to be? We hope to continue investigating these issues here on this blog.
1. As stated in Final Rule 33-8124, “…these procedures are intended to cover a broader range of information than is covered by an issuer’s internal controls related to financial reporting.”↩