Twenty years ago, the SEC brought cases against the auditors and executives of Enron for failures of internal controls and financial reporting. In the wake of this fraud, Congress and financial regulators instituted extensive changes to prevent similar issues from recurring. The Sarbanes-Oxley Act (SOX) was adopted in 2002 in light of the Enron crisis. Immediately, SOX became part of the daily business language.
What does ICFR mean and how does it impact SOX compliance?
One critical aspect of corporate reporting and SOX compliance is effective internal control over financial reporting (ICFR). ICFR is designed to protect and enhance the accuracy and transparency of financial reporting data by public companies. “Adequate internal controls are the first line of defense in detecting and preventing material errors or fraud in financial reporting,” said SEC Chief Accountant Wesley Bricker in 2019. “When internal control deficiencies are left unaddressed, financial reporting quality can suffer.”
In 2020, nearly two decades after the Enron scandal, Wells Fargo agreed to pay an astounding $3 billion fine for its “cross-selling scandal.” The bank encouraged and enabled employees to open nearly 3.5 million fraudulent accounts, falsifying records and reporting incorrect information which misled investors. These high-profile cases represent only a small number of the numerous ICFR related actions by the SEC Division of Enforcement over the years. More than ever, the SEC and market continue to be focused on effective and high-quality financial reporting.
ICFR vs. SOX: The process drives the final product
Most issuers focus on the final product – SOX certification in their reports. The reality is that the process of assembling and managing an effective SOX program, guided by a well-documented and tested set of internal controls, is just as important. Even with accurate and error-free financial data, if material weaknesses in ICFR are detected, then companies may still face SEC and market scrutiny, enforcement actions and, ultimately, damage to their business reputation. The entire point of ICFR, as defined and required by Sarbanes-Oxley (SOX), is to put procedures in place to reasonably ensure compliance with the company’s policies and compliance requirements.
The process itself is just as critical as the presentation and accuracy of the final product.
CEOs and CFOs put their name on the line — literally
When CEOs sign off on their quarterly and annual SEC filings, they are certifying the content and accuracy of the report, including the critical strength of the controls of that data and awareness of any material errors and fraud. When it comes to ICFR, they are — quite literally — putting their names on the line via separate Sarbanes-Oxley Section 302 and 906 Certification (filed as exhibits with their 10-Q and 10-K). In the view of the SEC, there is no pleading ignorance regarding material weaknesses — CEOs are accountable for the process as much as the end product. That is just one reason why Wells Fargo executives are themselves facing fines and sanctions.
Poor ICFR have cascading negative impacts on the business
Even if your company doesn’t end up in the headlines as a target of SEC enforcement actions, restating financial statements, due to failure of ICFR, can have cascading negative effects on your business. When a company restates financials, they are required to acknowledge and report all material weaknesses in ICFR. Acknowledging errors and/or material weaknesses causes everyone — analysts, investors and regulators — to examine everything you’ve stated, including in previous filings. Moreover, as we will cover in an upcoming post, if you have poorly designed and executed controls in one area of your SOX compliance management program, the SEC reports this demonstrates a high statistical likelihood you have issues in other controls as well — and that you’ve probably had these issues consistently from quarter- to-quarter, year-over-year. As increased SEC scrutiny uncovers further issues, more unwanted questions arise. Analysts grow less interested in following your company — after all, they can’t trust your data. Investor confidence and interest wanes. All are outcomes no company wants.
You have to want to execute ICFR well
For all these reasons, every public company must have effective ICFR required under SOX. Beyond compliance and risk mitigation, there are good reasons that you should want to execute ICFR well. Just as careless management of SOX compliance creates a negative cascade, executing SOX compliance properly drives a snowball of positive effects: Effective internal controls mean your financial statements will consistently be the best they can be. This means your data will be high-quality and will tell the financial story the company intended.
SOX is complicated — technology can help
There’s no question that SOX compliance can be complex and challenging. Moreover, most companies see SOX compliance as a burden on personnel and financial resources — leading to a general lack of continual focus. However, it is clear that failing to properly focus on internal controls can result in SEC scrutiny and end up costing your company much, much more.
The good news is there are robust, yet simple to implement and operate, financial reporting and SOX compliance technologies that are rapidly replacing antiquated Excel® spreadsheet-based SOX program management methods. Companies are quickly realizing the benefits of these platforms in reducing the burden — and the cost — of SOX compliance and bringing immediate transparency to key stakeholders, including executive leadership and external auditors.
SOX is here to stay — the SEC is paying closer attention
SOX is here to stay and recent SEC actions make it clear that regulators are paying more attention than ever to failures of ICFR. Forward-thinking companies should be looking for ways to leverage these smart technologies, such as Toppan Merrill SOX Automation, to automate ICFR and SOX compliance process — and take advantage of sophisticated and technology infused with deep SOX subject matter expertise that expose material weaknesses and potential reporting errors long before they can embarrass or damage their business.
Toppan Merrill is here to help.
For decades, the experts at Toppan Merrill have supported internal audit professionals through creating efficiencies, transparency and predictability of cost within their SOX compliance programs. Visit our SOX compliance page to learn more or connect with one of our experts at [email protected] or by calling 800.688.4400.