10 Sarbanes-Oxley and Internal Controls
You’re a very successful advertising sales manager who’s just taken a job with a new company. Everything is great—the pay and benefits are much better than those of your previous job. The only problem is that every time you do something and don’t go exactly by the book—whether it’s signing an insertion order before the credit’s been approved or turning in an expense report without itemized meal receipts—the business manager comes down on you. She keeps telling you that you have to do it that certain way “because of SOX” (Sarbanes-Oxley), or “because of Section 404.” You’ve heard these terms in the news, but never paid much attention to them. Something tells you that you should now. Mary M. Collins is President and CEO of the Broadcast Cable Financial Management Association (BCFM), and she provides an insightful look at this often exasperating yet powerful piece of legislation.
Introduction
In this chapter, the reader will gain a basic understanding of the Sarbanes-Oxley Act of 2002 and its impact on broadcasting and cable companies. In it, you will find:
• An overview of the key provisions of the act.
• A summary of Sarbanes-Oxley Section 404: Management Assessment of Internal Controls.
• How COSO (to be explained later) has become the de facto framework for certifying internal controls.
• How Section 404 has impacted business in general, and broadcasting and cable companies in particular.
• A look at pending changes to the regulation and how they may impact affected companies.
In the late 1990s and early 2000s, a number of corporate accounting scandals robbed shareholders of their investments. The images of retirees losing their savings, and children with worthless college funds prompted Congress to action. The result was the Public Company Accounting Reform and Investor Protection Act of 2002, commonly known as the Sarbanes-Oxley Act of 2002, or SOX.
This law mandated dramatic changes in the ways that public companies conduct their business and report their financial activities. Divided into 11 titles or subsections, SOX provisions include:
• The confirmation of the Securities and Exchange Commission (SEC) as the ultimate authority for oversight and management of SOX and other U.S. securities legislation.
• The creation of the Public Company Accounting Oversight Board (PCAOB), a new quasi-governmental agency responsible for overseeing, registering, and disciplining public accounting firms as well as for setting audit standards.
• The requirement that the Chief Executive Officer (CEO) and the Chief Financial Officer (CFO) of each affected company certify all periodic reports containing financial statements.
• The requirement for additional real-time disclosures.
• The requirement that all corporations listed on public stock exchanges have an independent audit committee that manages the relationship between the audit firm and the company.
• The specification of auditor independence—banning a company’s auditors from performing certain types of work, requiring precertification of all work by the audit committee, and requiring that accounting firms rotate the lead partner and review partner on accounts to ensure that neither accountant fills the same role for more than five years.
• The prohibition of personal loans to any corporate officer or director, with very limited exceptions.
• A strengthening of regulations addressing insider trading—with prohibition on such trades during certain blackout periods, and a requirement that all such trades be reported within two business days.
• Identification of additional actions as securities crimes (such as destroying, altering, or falsifying financial documents), strengthening the penalties for these white-collar crimes, and specifying a new statute of limitations for such crimes.
Section 404: Management Assessment of Internal Controls
The most complex and expensive provision of SOX is Section 404: Management Assessment of Internal Controls. One BCFM member succinctly summed up its impact when she said, “Sarbanes-Oxley is certainly a new career.”1
Sarbanes-Oxley uses the term “issuer” to describe any company covered by the legislation; this term comes from the Securities Exchange Act of 1934. Broadly stated, SOX defines “issuer” as any company—whether headquartered in the United States or elsewhere—whose securities are registered under the Securities Exchange Act and which company is required to file reports under Section 15(d) of that act.
SOX Section 404 requires each issuer to include in its annual report an internal controls report that includes three fundamental components:
1. A statement asserting that the corporate management is responsible for establishing and maintaining adequate internal controls and policies to ensure accurate financial reporting.
2. An assessment of the effectiveness of the internal controls and procedures for ensuring accurate financial reporting, as of the end of the fiscal year for which the report is being issued.
3. An audit, performed by the company’s independent auditor, of management’s assessment of the effectiveness of the company’s internal controls over financial reporting.
It is interesting to note here that the congressional committee report that accompanies the bill, a report that is intended to explain the committee’s legislative intent, says “… the committee does not intend that the auditor’s evaluation will be the subject of a separate engagement.” That is to say, Congress did not believe that a company would incur any additional expense for this assessment. Ah, the naïveté of our elected officials.
As stated above, the SEC is ultimately responsible for issuing the regulations for enforcing SOX. In the case of Section 404, the first assessments of internal controls were due before the SEC issued final rules about how companies were to comply with internal controls reporting. Companies and their auditors identified a voluntary U.S. standard known as COSO as the only standard that seemed to meet the requirements of the act.
Formed in 1985, COSO is a framework developed by the Committee of Sponsoring Organizations of the Treadway Commission. (Although the SEC has not mandated COSO as of this writing, it has stated that COSO’s control standards satisfy the agency’s criteria for an acceptable framework for evaluation.) This committee is sponsored and funded by five main professional organizations: the American Institute of Certified Public Accountants (AICPA), the American Accounting Association (AAA), the Financial Executives Institute (FEI), the Institute of Internal Auditors (IIA), and the Institute of Management Accountants (IMA). COSO’s main objective is to identify factors that cause fraudulent financial reporting and to make recommendations to reduce their incidence. To do so, the committee established a definition of internal controls as “… a process which provides reasonable assurance that an organization will achieve its objectives for effective and efficient operations, for reliable financial reporting, and for compliance with applicable laws and regulations.”
The committee also established criteria against which companies can assess their control systems. As stated in 2003, COSO had five components:
1. Control environment—Encompasses such factors as integrity, ethical values, management’s operating style, systems for delegating authority, and processes for managing and developing people within the organization.
2. Risk assessment—Begins with establishing objectives and identifying and analyzing relevant risks that are prerequisites for determining how to manage the risks.
3. Control activities—The policies and procedures used to ensure that management’s directives are carried out and that help to ensure that actions are taken to address risks to achieving the established objectives at all levels of the organization. (This includes such things as authorizations, verifications, reconciliations, segregation of duties, etc.)
4. Information and communication—Includes both the information systems that produce reports and the procedures that ensure that information flows up, down, and across an organization and to external parties.
5. Monitoring—Procedures to monitor internal controls systems, to report deficiencies, and to take corrective action.
Although this sounds straightforward, keep in mind that management must certify internal controls for every significant financial account and process. An account is considered significant when it can contain errors of some importance and/or if management thinks it should be evaluated. A process is considered significant when it covers a major class of transactions, affects significant accounts (or groups of accounts), covers significant volume of a company’s activity, and/or impacts a significant account on the organization’s general ledger. One public accounting firm has gone so far as to say that every account included on an issuer’s external financial statements is significant.
IT (information technology) processes or any procedure that requires the manual movement of data from one person, department, or software program to another requires particular scrutiny. Transactions between related entities (e.g., companies that own both radio stations and television stations, and/or cable systems as well as programming divisions; and companies that manage both businesses that sell advertising time and those that insert advertisements into programming) must be assessed carefully. If the company outsources significant parts of its business or relies heavily on outside vendors, these outside sources, too, must be evaluated.
Examples of affected accounts and processes in broadcasting and cable span the entire operation of the businesses. They include:
• Advertising sales.
• Accounts receivables.
• Capital assets.
• Capital projects.
• Cash management.
• Credit policies.
• Disbursements.
• Financial reporting.
• Information technology systems.
• Inventory management.
• Order entry.
• Payroll.
• Program agreements.
• Nontraditional revenue.
• Special offers.
• Subscription sales.
• Subscriber authorization.
• Subscriber reporting.
• Talent agreements.
For each identified account or process, management must review, evaluate, test, and document using COSO (or another framework that meets the SEC’s criteria) to ensure that significant controls and procedures are in place to prevent mistakes or misconduct. Documentation must provide reasonable support for the design and conclusion, addressing each of the components outlined in the approved framework.
Given the scope of this certification, many companies have hired consultants to help complete the task. Before SOX, companies would likely have turned to their own auditors for help. Because this is prohibited under the act, those looking for assistance have to engage either another audit firm or qualified group.
The Next Step
Once management has completed the internal certification, the process must also be certified by the issuer’s external auditors. Using statistical sampling, each account and process is tested for deficiencies. The PCAOB defines “deficiencies” as conditions that, in the normal course of performing the assigned function, cannot prevent or detect financial misstatements on a timely basis. Deficiencies are divided into three levels:
1. Inconsequential deficiency—Taken alone, the condition will have a negligible or inconsequential impact on an issuer’s external financial statements. Although two or more deficiencies may be considered “inconsequential” individually, in combination, they may reach a level of a “significant” deficiency.
2. Significant deficiency—Acondition or conditions that have more than a remote likelihood of adversely impacting an issuer’s ability to report reliable information on external financial statements.
3. Material weakness—A condition in which there is a more than a remote likelihood of material misstatements in an issuer’s external financial reports that will not be prevented or detected.
Despite the SOX committee’s initial assumption that “… the auditor’s evaluation [not] be the subject of a separate engagement,” and thus add significant expense, the preparation of the internal controls report has required and will require substantial issuer resources, both in time and in dollars. Estimates of the initial cost of compliance vary widely—2004 estimates ranged from $3 million to $16 million, and more than 30,000 hours per company. It is for this reason that a number of public company boards have opted to take their companies private.
Where Do We Go from Here?
As of this writing, two classes of issuers have yet to comply with the reporting requirements of Section 404. They are non-accelerated filers (generally smaller companies with less than $75 million in nonaffiliated market capitalization) and newly public companies (those companies that have not yet filed an annual report with the SEC). Hearing the initial complaints and the ongoing concerns about the cost of compliance, the SEC adopted revised rules for these companies on December 15, 2006. Under these rules, management’s reporting requirements for non-accelerated filers become effective for fiscal years ending on December 15, 2007, or later. The auditor’s reporting requirements for these filers are effective on December 15, 2008, or later. As for newly public companies, the auditor’s reporting requirements become effective with their second annual report.
There are also indications that the PCAOB is looking at ways to make issuers’ annual internal controls evaluations more efficient and cost effective. In the works is the PCAOB’s revision or replacement of Auditing Standard No. 2, the standard that audit firms use to attest to an issuer’s internal controls. Companies hope that the revised standard will focus auditors on material weaknesses in internal controls—these have the highest likelihood of resulting in material misstatements on an issuer’s financial statements.
Also to be evaluated is the impact of COSO’s 2004 Enterprise Risk Management— Integrated Framework, which expanded the committee’s framework to eight components from the five cited in this chapter.
Finally, it will be some time before investors and issuers can accurately complete a cost-benefit analysis of SOX, and particularly of Section 404. Do the benefits of the legislation (and its subsequent revisions) outweigh the cost of implementation and certification? Did SOX meet its objective of restoring lost investor confidence? Does it prevent the abuses it was designed to correct? Or, will history prove the truth of the words spoken by Cox CFO Jimmy Hayes at BCFM’s 2004 Annual Conference in Atlanta: “The best controls won’t help a company that has lost its integrity”?
Notes
1. Deborah Cowan, vice president of finance for Radio One, Inc., as quoted in The Financial Manager, January–February 2005.
Bibliography
AICPA. “Sarbanes-Oxley.” AICPA. http://cpcaf.aicpa.org/Resources/Sarbanes+Oxley/ (accessed December 29, 2006).
AICPA. “Sarbanes-Oxley—The Basics.” AICPA. http://cpcaf.aicpa.org/Resources/Sarbanes+Oxley/Sarbanes-Oxley+−+The+Basics.htm (accessed December 29, 2006).
CPE Inc. Online. “COSO & Creating Anti-Fraud Programs Under SOX.” CPE. http://www.cpeonline.com/cpenew/courset.asp?topic1=A246 (accessed December 29, 2006).
CPE Inc. Online. “Sarbanes-Oxley Act of 2002.” CPE. http://www.cpeonline.com/cpenew/sarox.asp (accessed December 29, 2006).
Ernst & Young. “Legislative Summary of the Sarbanes-Oxley Act of 2002,” Ernst & Young, July 29, 2002.
Infinity Broadcasting. “Station SOX Compliance Manual.” Infinity Broadcasting, April 26, 2006.
KPMG 404 Institute. “SEC and PCAOB Proposals Regarding Internal Control Over Financial Reporting.” KPMG 401 Institute. http://www.404institute.com/docs/SEC_PCAOB_Ann_122106.htm (accessed December 22, 2006).
Maltese, Evan (E&Y LLP), Lawrence Wills (Granite Broadcasting Company), and Chris Pimentel (Entercomm Communications). “BCFM Distance Learning—Section 404 of the Sarbanes-Oxley Act.” November 4, 2003.
PricewaterhouseCoopers. “Management’s Responsibility for Assessing the Effectiveness of Internal Control Over Financial Reporting Under Section 404 of the Sarbanes-Oxley Act.” PricewaterhouseCoopers, December 2003.
PricewaterhouseCoopers CFOdirect Network. “Breaking News: SEC Provides Additional Sarbanes-Oxley Section 404 Deferrals for Smaller Public Companies and Newly Public Companies.” Pricewaterhouse Coopers CFOdirect Network. http://www.cfodirect.pwc.com/CFODirectWeb/Controller.jpf?ContentCode=AALN-6WHUFB&SecNavCode=USAS-6BG36W&ContentType=Content (accessed December 15, 2006).
SC&H Group LLC. “The Bottom Line: Alerts! Breaking News—SEC Finalizes 404 Reporting Dates for Non-Accelerated Filers.” SC&H Group. http://scandh.com/FromSCandH/404_Filing_Dates.html (accessed December 20, 2006).
Schley, Stewart. “Rocked by SOX.” The Financial Manager, January–February 2005.
SOX-online.com. “Sarbanes-Oxley Act Basics.” SOX-online. http://www.sox-online.com/basics.html (accessed December 30, 2006).
Wikipedia. “Committee of Sponsoring Organizations of the Treadway Commission.” Wikipedia. http://en.wikipedia.org/wiki/Committee_of_Sponsoring_Organizations_of_the_Treadway_Commission (accessed December 30, 2006).
Wikipedia. “Sarbanes-Oxley Act.” Wikipedia. http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act (accessed December 29, 2006).