Section 302 of the Sarbanes-Oxley Act (SOX 302) mandates that public companies establish a system of effective Disclosure Controls. The signing officers are required to certify that that they (1) are responsible for establishing and maintaining disclosure controls and procedures, (2) have designed, or supervised the design of, disclosure controls and procedures to ensure that all material information is made known and (3) identify any changes in internal controls that occurred during the given period.
In our previous post, we looked at management-only assessments required by Section 302 of the Sarbanes-Oxley Act (SOX 302), filed by Russell 3000 companies between 2005 and 2015. For this blog, we updated our analysis to include 2016 data.
After steady increases between 2010 and 2015, the number of companies with ineffective Disclosure Controls leveled off in 2016.
The number of companies with ineffective controls is arguably one of the most important metrics in understanding trends in financial reporting at a macro level. Looking a bit deeper for this post, we explore one of the largest contributors to controls issues, namely Informational Systems (IT) controls.
First, it might be worth noting that SOX 302 requires companies to disclose all changes that could materially affect Internal Control over Financial Reporting. In other words, both changes related to remediation of ICFR deficiencies and changes that were made to improve effective controls need to be disclosed.
The chart below presents number of companies that noted IT changes between 2010 and 2016.
As we can see, the number of IT-related disclosures increased for both companies with effective and ineffective controls. This picture, in our opinion, is very logical.
For example, let’s look at the disclosure provided by Johnson & Johnson (JNJ). The multi-year ERP initiative described below has been ongoing since at least December 2014:
The Company is implementing a multi-year, enterprise-wide initiative to integrate, simplify and standardize processes and systems for the human resources, information technology, procurement, supply chain and finance functions. These are enhancements to support the growth of the Company’s financial shared service capabilities and standardize financial systems. This initiative is not in response to any identified deficiency or weakness in the Company’s internal control over financial reporting. In response to this initiative, the Company has and will continue to align and streamline the design and operation of its financial control environment.
For companies with ineffective controls, the reasons could vary from lack of proper controls associated with user access, to certain information technology systems to replacement of manual processes with use of the automated software.
Cyber breaches could also be linked to IT-related weaknesses or significant deficiencies. The most notable example is a recent deficiency disclosed by Equifax (EFX):
As discussed in Note 5 of the Notes to the Consolidated Financial Statements in this Form 10-Q, on September 7, 2017, we announced a cybersecurity incident. Our review of the circumstances and resulting impact on our internal controls over financial reporting (ICFR) identified two significant deficiencies in our IT General Controls environment, at this point in time. As part of the Company’s overall plan to address the cybersecurity incident, actions have already been and are being taken in the fourth quarter of 2017 to remediate these significant deficiencies.
During 2016, 7% of companies with effective controls provided IT-related disclosures, while about 41% of companies with ineffective controls provided such disclosure. There might be several reasons for the disparity between the two groups. One possible explanation is that, quite naturally, some of the controls weaknesses are IT weaknesses. Yet, it is also possible that the companies may use the weakness remediation process to augment their IT environment in general.
For more information, e-mail info@auditanalytics.com or call 508-476-7007.