On August 1, 2014 Citigroup Inc [C] received a comment letter from the SEC. One of the comments referred to a $235 million after-tax charge resulting from a fraud discovered at its Banco Nacional de Mexico (Banamex) subsidiary, which was recorded during the 12/31/2013 year-end close process. Commenting on this charge, the SEC raised concerns that the identification of the fraud might have affected the company’s evaluation of the effectiveness of its internal controls over financial reporting (ICFRs), and that the deficiency might not be limited to the Banamex subsidiary:
“Tell us how the identification of this fraud impacted your conclusion on the effectiveness of your disclosure controls and procedures and internal control over financial reporting (ICFR)as of December 31, 2013. As part of your response, please explain how you considered whether locations other than Banamex have controls that are similar in design to those that failed at your Banamex location.”
Despite the fraud, the company’s fiscal 2013 ICFR opinions – both management’s and the auditor’s – did not cite any material weaknesses or significant deficiencies, nor did its DC (Sox 302) evaluation. So how is it that these controls were considered compliant?
According to Audit Standard 5 companies must disclose “all such deficiencies that it believes to be significant deficiencies or material weaknesses.” A material weakness is a deficiency in controls such that there is a reasonable possibility that a material misstatement would not be prevented or detected in a timely manner. A significant deficiency is less significant than a material weakness, but nevertheless merits attention.
In Citigroup’s response, the company explained its process for determining the severity of the deficiency. First, the company reviewed its worldwide accounts receivable processes. During the review, it discovered that five of its 1,100 receivable facilities had deficiencies. Citigroup determined that the errors were not material, and that the process breakdowns were isolated. Next, the company evaluated controls designed to limit the materiality of any potential deficiencies. They concluded that these controls were effective in preventing a material misstatement. Finally, the company evaluated the employee responsible for the transaction, and concluded that the employee did not have an oversight role in which the employee could exacerbate the deficiency.
In the end, Citigroup determined that its ICFRs were effective.
Adverse ICFR opinions are extremely rare, at least for bigger, well-established companies. Virtually all adverse opinions come from smaller companies outside the Russell 3000.
A total of 1,677 companies reported some type of internal control deficiency in their fiscal 2013 10-K. Of those companies 111 (6.62%) are in the Russell 3000, and only 1 is in the S&P 500. As you can see from the chart, that pattern is pretty consistent from 2010 on. 2014 does not appear to be diverging from this trend. With 396 total deficiencies reported so far, 18 are in the Russell 3000 and none are in the S&P 500.