In a recent post, we discussed trends in Sarbanes-Oxley Act Section 302 Disclosure Controls and Procedures (“DC&P”, or “SOX 302”) filings, and highlighted some reasons why disclosure controls may be of interest to investors and stakeholders. In this post, we look at a recently published paper titled “An Analysis and Taxonomy of Disclosure Controls and Procedures Effectiveness”, by Thomas R. Weirich and Lori Olsen from Central Michigan University. In the paper, the authors provide an in-depth analysis of the differences between disclosure controls and Sarbanes-Oxley Act Section 404 Internal Control over Financial Reporting (“ICFR”, or “SOX 404″). The authors proceed to analyze SOX 302 trends over an 11-year period and point to additional areas where research could be beneficial.
As pointed out by Weirich and Olsen, the SEC requires that officers must: (1) establish a “disclosure committee”; (2) adopt consistently written policies and procedures; (3) establish disclosure evaluation systems; and (4) establish a certification review and reporting procedures involving the audit committee. Under these guidelines the issuer must maintain an adequate system of DC&P in order to provide transparency to investors.
The authors note the importance of effective SOX 302 reporting by discussing an enforcement action brought by the SEC against JPMorgan Chase (filed in 2013) and another complaint brought against Bank of America (filed in 2010). In both instances, the companies failed to make complete disclosures, were fined by the SEC, and were required to reassess the effectiveness of the Disclosure Controls and Procedures. These examples serve to establish the seriousness with which the SEC takes disclosure controls reporting.
In the second half of the article, the authors turn towards the growing trend in ineffective disclosure control reports during their sample period (2004 to 2014). The authors, using Audit Analytics classification, identify four categories of weaknesses that could lead to disclosure control ineffectiveness: (1) Accounting issues, errors in applying GAAP; (2) Fraud issues, irregularities or misrepresentations; (3) clerical errors; and (4) Other – many entities do not disclose any reason for having ineffective DC&P.
The authors also looked at the correlation between ICFR and DC&P effectiveness. Naturally, one would expect that ineffective ICFR and ineffective DC&P would be strongly correlated. Yet, Weirich and Olsen found that roughly 8% of reports made in their sample period had effective ICFR but ineffective DC&P. As we have discussed, DC&P are broader than ICFR, so this is not necessarily incompatible. Nevertheless, while it is more common to see ICFR and DC&P as either both effective or both ineffective, there is clear evidence that effective ICFR are not a guarantee of effective DC&P.
Weirich and Olsen conclude by reaffirming the importance of disclosure effectiveness and ask a number of important questions, including the applicability of disclosure controls framework to other somewhat less traditional areas, such as Conflict Minerals, sustainability, and non-GAAP reporting.