The Compliance Central column of the PPG has been going through a series of articles surrounding setting up a framework for your organization to implement a proactive Compliance and Ethics (C&E) program. Within each organization’s C&E program there needs to be an Internal Controls (IC) component that includes the training of the rules, regulations and requirements. The rules are slightly altered for organizations of various sizes; therefore the rules for government filing also reflect the characteristics and complexities of the organization.
This current series takes an in-depth look at the reporting of material weaknesses to the government. All publically traded United States organizations are required under US Federal Statues to submit an annual report to their shareholders. This document (report), usually authorized by the Chief Executive Officer (CEO), discloses corporate information, financial data, and corporate plans. In addition to the report each organization sends to the shareholders, the CEO must annually file with the US Securities and Exchange Commission (SEC) a Form 10-K which contains an in-depth look at the organization’s financial condition. In this filing, the organization has to include audited financial statements and any material weaknesses that exist at the end of the fiscal year.
A material weakness is “a significant deficiency, or a combination of significant deficiencies that result in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected.” (Public Company Accounting Oversight Board (PCAOB)).
If the organization feels their internal controls over their financial reporting is ineffective, the additional clauses need to be reported in their filings to the SEC (other sovereign jurisdictions have similar rules and requirements):
- The nature of any material weakness,
- Its effect on financial reporting and the control environment, and
- Management‘s current plans, if any, for remediating the weakness.
The SEC expects that the certifying officers also would make the auditors and audit committee aware of any significant deficiencies, material weaknesses or fraud requiring disclosure of which they become aware outside, or subsequent to, the formal evaluation process.
President George W. Bush signed the Sarbanes-Oxley Act (SOX) into law on July 30, 2002 to ensure the reliability of publically reported financial information for US organized companies. Although most of SOX’s provisions are mandatory only for public companies that file the Form 10-K with the SEC, many private and nonprofit companies are facing market pressures to conform to the SOX standards.
The Sarbanes-Oxley Act of 2002 established two key requirements:
- Section 302: A mandate that requires senior management to certify the accuracy of the reported financial statement,
- Section 404: A requirement that management and auditors establish internal controls and reporting methods on the adequacy of those controls.
Management‘s certification called for by Section 302 requires the certifying officers to disclose to the registrant‘s auditors and the audit committee all significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting.
From working in the compliance arena, I have found that when organizations do not put into place proactive steps or measures within their C&E program and they are faced with the possibility of heavy fines or prison, the penalty is always much higher if no C&E program existed than if one did. It is sad to say that organizations either feel C&E programs are too high an overhead cost or they are playing the lottery game and feel they would never get caught in a fraudulent situation. Research shows the United States is the lead in the number of enforcement actions against corporations allegedly engaged in wrongdoing. However, due to the significant amount of mandated reporting required by the US Government as opposed to other sovereignties this statistic may be a bit skewed.
C&E programs, to include strong internal controls, have increasingly become an important feature for organizations because if an organization does find itself accused of wrongdoing and the company can demonstrate that before the crime was committed, the company adopted and effectively implemented an adequate compliance program to prevent wrongdoing, the penalty is lessened greatly.
Internal controls are processes or procedures put into place within organizations to provide reasonable assurance that operations are being managed correctly. Properly designed and functioning internal controls reduce the likelihood that significant errors or fraud will occur and/or go undetected. Internal controls also help ensure that departments other than the main finance office are performing within compliance guidelines.
Weak internal controls do not imply that there is fraud within the organization or that the organization’s financial statements are misstated. Having said that, when one or more of the company’s internal controls in place to prevent significant financial statement irregularities is considered to be ineffective then there is an increased chance for a material misstatement within a company’s financial statements.