Back in December, Stinson’s Steve Quinlivan spotted the first CAM. Now we owe him another hat tip for finding the first few CAMs in audits issued by the “Big 4” accounting firms – see page 93 of Microsoft’s Form 10-K and page 107 of Open Text’s Form 10-K. Both companies had a CAM relating to revenue recognition. Steve noted in his blog (also see his follow-up entry):
The CAM is straightforward and does not reflect negatively on the company or its audit committee or cast doubt on its financial reporting. If anything, it most likely reflects an attitude by the auditor that “we have to find something to protect us in the case of a PCAOB inspection.” I think revenue recognition CAMs are going to become somewhat boiler plate and not likely to attract a lot of attention absent special circumstances.
Auditor Attestations: No Shortage of Comments on SEC Proposal
The comment letters have been rolling in on the SEC’s proposed amendments to the “accelerated filer” definition – which would make fewer companies subject to the auditor attestation requirement. Predictably, accounting firms aren’t in favor of the change and say that it would weaken the quality of financial reporting (here’s EY’s letter as an example). CII has also joined that camp – its letter argues that the amendment may cause investors to lose confidence in the integrity of financial statements.
CII also takes issue with the SEC’s economic analysis of the proposal – by citing to another recent comment letter from four B-School profs. That letter adds data to the assertion that some companies can’t be trusted to report material weaknesses when left to their own devices (as does this blog about Canada’s experience with a similar rule). Here’s an excerpt from this WSJ article about the letter and its underlying study:
More than 100 companies that could get relief have reported restatements that altered combined net income by $295 million from 2014 through 2018, according to a comment letter from researchers at Stanford University, the University of Pennsylvania, the University of North Carolina and Indiana University. Eleven of the restatements occurred in 2018 and wiped out about $294 million in market value, the researchers wrote.
One company in the group is Insys Therapeutics Inc., said Prof. Taylor, who co-wrote the letter. Insys, an opioid manufacturer whose market value peaked at $3.2 billion in 2015, sought bankruptcy protection in June after pleading guilty to bribing doctors to boost use of its spray version of fentanyl, a synthetic opioid. It agreed to pay $225 million in fines and forfeiture.
Insys effectively failed the internal-controls audits in 2015 and 2016, according to securities filings. The company later restated results for several quarters in 2015 and 2016. The company said at the time that neither fraud nor misconduct caused the errors. Auditors in 2017 and 2018 reported its internal controls were free from material weaknesses.
The comment letter emphasizes that the analysis in the SEC proposal quantifies the cost of internal control audits – but not the potential benefits. Of course, there are two sides to this heated debate – and the WSJ article also emphasizes the high cost of compliance for smaller companies, and that investing that money in the core business rather than compliance could improve returns for shareholders…there are letters supporting the proposal from Nasdaq, the Chamber, Proskauer and a score of life science companies, among others.
Sarbanes-Oxley Compliance: Still a Lot of Work, But Automated Controls Might Help
There was a slight decrease in Sarbanes-Oxley compliance costs last year – according to Protiviti’s annual survey on the topic – but spending remains significant ($1.3 million on average among large accelerated filers – and that excludes external audit fees). In addition, hours & control counts continue to increase. Protiviti predicts that new technologies – along with a desire to strengthen controls and (finally) lower costs – will usher in “SOX Compliance 2.0.” Here’s an excerpt:
A growing number of SOX executives recognize that more dramatic improvements, fueled by a new mindset and advanced technologies, are required. To illustrate, our results reveal that the use of analytics has jumped significantly and that a broader range of compliance activities are being subjected to advanced technology — with even more plans to do so in the future. It also appears many organizations are huddling with their external auditors to figure out how the auditor’s use of advanced automation can deliver greater compliance effectiveness.
Protiviti also found that the use of automated controls testing is increasing, more companies are using outside providers for Sarbanes-Oxley compliance, and cybersecurity is substantially increasing compliance hours. Nearly half of companies said they were now required to issue a “cybersecurity disclosure” based on guidance from the SEC & Corp Fin.
– Liz Dunshee