The Compliance Central continues to discuss the basic framework for a solid Corporate Compliance and Ethics program (CC&E). These basic building blocks are important to support a solid foundation for a successful CC&E program within your organization. An organization must, therefore, chose how robust its CC&E program should be.
As a review, we have covered the following areas of the CC&E program:
- April – Implementing a Corporate CC&E Program: The Sentencing Guidelines. Basic government guidelines for a C&E program
- May – Outline for Setting up a CC&E Program. Checklist for a CC&E Framework based on the Federal Sentencing Guidelines.
- June – Developing a CC&E Compliance Risk Assessment: Each organization is unique. Building each organizations Organization’s Risk Profile (ORP) to identify unique risk potentials and the Organizational Risk Assessment (ORA) tool to expose risks to an organization that will deter the organization from meeting their objectives.
- July – What are Corrective Actions?: Internal Control detect potential discrepancies before they occur; corrective actions are a proactive approach to correction of these potential discrepancies.
- August – How to do a Compliance Audit: the steps to take in order to perform a compliance audit to assist in determine the current status and progress of your CC&E program.
In September’s column of the Compliance Central, we will cover the definition of a “Material Weakness” and the history behind the reporting of material weaknesses. Future articles will go into more depth of this topic.
All too often, we have seen organizations wait until they are in trouble to even begin a CC&E program. As you can see, there are many steps organizations need to take to establish a solid program. Protecting your organization does not happen overnight, but it takes planned steps to reach a maturity level that will show the government that you have a process in place to detect, control and correct actions that are a deterrent to your organization from reaching establishing goals and objectives. Risk assessments that lead to internal audits followed up by self-corrective actions all take time and if done in earnest, will prevent or at least limit unfortunate or calculated mishaps.
However, even if an organization takes all the steps necessary to implement effective internal controls to prevent fraud, waste, abuse or outright wrongdoing, deficiencies in their internal controls could lead to a material weakness.
A material weakness is “a significant deficiency, or a combination of significant deficiencies that result in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected.” (Public Company Accounting Oversight Board (PCAOB)).
If a material weakness is not addressed properly, the company runs the risk of future published data regarding its earnings and expenses being incorrect. Oddly to say, the reason cited by organizations in their descriptive disclosure for most material weaknesses is blamed on poor accounting habits and untrained resources.
So, before understanding how detrimental a material weakness could be for an organization, the history is important. The Sarbanes-Oxley Act (SOX) of 2002 required the implementation of rules and procedures within publically-traded organizations. In addition to the requirement of external auditors, SOX required organization establish an internal auditing committee to perform control audits. Sections 302 and 404 of SOX relates to the internal controls over the organizations financial reporting. Publically traded organizations are required to disclose any material weaknesses in their internal controls in their SEC filings each year (requirement in Section 302 of SOX). The focus of section 302 is on the disclosure of the organizations controls and procedures and the focus of section 404 is on internal controls over financial reporting. Section 404 also requires that auditors conduct a top-down risk assessment of a company’s internal controls. This in-depth review was put into place to identify any weaknesses in a company’s accounting system which could be compromised and lead to fraud.
In the organization’s annual financial report submitted to the SEC, there are three opinions offered:
- The financial statements,
- The manager’s assessment of internal controls, and
- The state of the effectiveness of the organizations internal controls over the financial reporting.
Prior to SOX, the Foreign Corrupt Practices Act of 1977 (FCPA) was the sole statutory regulation on internal controls. The only disclosure any organization had to report was in their SEC mandated 8K when disclosing a change in auditors. Even if organizations did not participant in foreign trade, the FCPA was the first statutory regulation on internal controls with the purpose of requiring organizations to maintain cost-effect internal accounting systems.
What was missing was the “how to” develop good guidance within organizations. This lead to the Treadway Commission which stated that all publically trading companies be required to include a report on internal controls by each organization’s management in their annual reports. This requirement was added to SOX under Section 404 with more stringent requirements. One of the additional requirements was a statement from the organization executive every year affirming their internal controls were effective. In addition, they had to self-disclose any found material weaknesses. Failure to comply with this reporting would bring a penalty by fine of $5,000,000 and up to 20 years in prison by the adjudicated senior management leader found complicit.
Next month’s article will go into a deeper discovery of the types of material weaknesses need to be reported and how internal controls are evaluated along two dimensions to determine the likelihood and significance to determine if the identified weakness meets the level of materiality that needs to be reported.