Putting internal corporate audits into perspective
Posted: 6:55 am Fri, August 30, 2013
By Dolan Media Newswires
By Stephen M. Honig
The NASDAQ marketplace is home to many emerging companies. Lacking the size of New York Stock Exchange companies, NASDAQ companies nonetheless have been pushed by federal regulation into a regulatory environment parallel to that of NYSE-listed companies.
New York Stock Exchange Rule 303A.07(b)(iii)(E) requires the audit committee to work with the internal audit function. This internal audit function is required by subsection (c) “to provide management and the audit committee with ongoing assessments of … risk management processes and systems of internal control.”
Thus, it wasn’t surprising that NASDAQ last February proposed for public comment a rule requiring NASDAQ-listed companies to maintain an internal financial audit function.
Similar to the New York Stock Exchange, the NASDAQ company’s audit committee periodically would be required to meet with internal auditors. Implementation was on a short trigger; if NASDAQ-listed before June 30, 2013, you would get only until year-end.
The proposal isn’t specific about what is being audited. There’s discussion of “internal control,” but of what? There’s discussion of making the company aware of “risk management processes.”
A small number of comments were filed with the SEC relative to the proposal, but they were sufficient to cause consternation at NASDAQ. Unlike many regulatory proposals, the comments were not provided primarily by law firms (only one responded), and although there were several responses from accounting professionals, the majority were from small companies in opposition to the proposal.
The SEC extended the comment period until June 6 in order to permit fuller commentary, but before the expiration of that period NASDAQ itself withdrew the proposal “so that we may adequately consider these comments.”
The dialogue concerning the proposal reflects the tension between advocates of economic growth and advocates of strict regulation.
Who was in favor of the proposal?
Of dozens of NASDAQ-listed companies, only one was supportive. Most supporters were members of the accounting profession: a professional auditor, a national accounting firm, the Institute of Internal Auditors (180,000 members), and professors at two schools of accountancy. Support from accounting professionals was tempered only by a request for even more specificity: The internal audit function should follow auditing standards.
What were the arguments in opposition to the proposal?
Almost all company commentators raised the relationship of cost to company size. Many recited their present burdensome cost of maintaining public ownership, ranging from several hundred thousand to a couple million dollars (depending on who was counting what).
Many, noting their market capitalization, suggested a de minimus rule: an internal audit function would not be required for companies below a certain market cap — be that $50 million, $75 million or $500 million.
Several companies in the biotech and pharmaceutical area observed that they were pre-revenue, conducting multi-year development of technology-based products; every incremental expense was economically disproportionate and took away from entrepreneurial effort.
The Bio-Technology Industry Organization noted that some members spend more than $1 billion over a decade to bring just one treatment from laboratory to hospital, all without prior revenue; that they need access to public capital markets; and that burdening them with internal financial audits is illogical.
Many argued that they have financial controls adequate for their own companies, that they already are sufficiently regulated, and that you can’t impose one-size-fits-all rules on smaller companies.
Other responders were more granular: “We already have an external audit, which costs a fortune; why do we need an internal one?”
The PCAOB (the agency supervising firms auditing public companies) sets adequate audit standards.
Section 404(a) of the Dodd-Frank Act already requires public companies to file reports of internal control over financial reporting, including assessment of effectiveness (requirements made specific by Item 308 of SEC Regulation SX). Larger companies also must have outside auditor sign-off under Section 404(b).
Several commentators made reference to the Dodd-Frank Act requirement that the federal General Accounting Office submit a study (due later this year) as to whether public companies exempt from the outside auditor requirement incur more restatements of their financials.
The expectation is that the GAO may report that added regulatory focus on financial controls does not improve the quality of financial statements. (The import of the GAO findings will be questionable. Dodd-Frank asks the GAO to comment only on the impact of Section 404(b) of SOX; the requirement of Section 404(a), that companies maintain internal financial controls, is beyond the scope of the GAO mandate.)
It’s confusing to place the proposal (which may come back in amended form), or indeed the standing New York Stock Exchange Rule, into regulatory perspective.
The proposal and NYSE Rule both are “one-size-fits-all” solutions. Under SOX 404(a), all publicly registered companies must maintain and report on internal financial controls. SOX originally also required all companies of any size to obtain CPA sign-off, a requirement subsequently eliminated for companies with less than $75 million of market value or less than $50 million in revenues.
Then along came the JOBS Act in April 2012, a wide-ranging congressional effort to bring the country out of economic doldrums. That statute defined small companies (“emerging growth companies”) differently, as those with annual gross revenues less than $1 billion, provided they completed their IPO after Dec. 8, 2011.
Putting aside the illogic of treating companies of identical characteristics differently depending on their IPO date, the statute attempted to nurture more public companies by, among other things, giving emerging growth companies a five-year hiatus from providing 404(b) auditor attestation.
Certain regulatory procedures under Rule 12b-2 of the Securities Exchange Act of 1934 slice the pie in yet another way, providing definitions for companies that are “accelerated filers” (less than $75 million of market cap) and “large accelerated filers” (more than $700 million of market cap). Indeed, the law firm commenting on the proposal suggested utilizing one of those standards as the cutoff below which companies would be excused from compliance with the proposal.
Setting size parameters below which a company would be excused from the proposal makes little sense. Some small companies are complex, some large companies are still in the development phase. Size is no absolute indicator.
Additionally, a larger company typically might have more sophisticated financial controls, and so to excuse smaller companies from the proposal may mean excluding companies most in need of it. While I don’t minimize the cost burden argument, it may be another case in which someone really needs something that they simply can’t afford.
But the biggest element of illogic is the conflation of a numbers-based regulatory scheme with the concept that such an approach is really about risk management.
With significant impetus from the financial meltdown of the 2008 period, the world began to view risk management in more than numerical terms. With the background of the New York Stock Exchange Rule vesting control over risk in the audit committee, management and directors historically thought of risk in terms of legal compliance, adequacy of financial controls, prevention of fraud, prevention of Foreign Corrupt Practices Act violation, prevention of embezzlement, and accuracy in identifying true sales, all matters that can be viewed from a financial accounting standpoint.
But the Great Recession wasn’t caused by inadequate financial controls. It was caused by the incurrence of risks of an entirely different nature, a range of risks so apparently different that a new nomenclature arose: “enterprise risk management.” What market risks were being taken? What risks were being driven by executive compensation? What risks were incurred by reason of technological change? How should companies think about risks beyond those which “internal audit functions” could identify?
One alleged benefit of the proposal, that management would because better informed about risk, creates an inapposite implication. The proposal is just talking about numbers and, indeed, to impose further focus on financial analysis (given our robust existing regulatory scheme) will divert attention from a broader understanding of risk.
Interestingly, only one proposal commentator identified this conflation as inappropriate. The Society of Corporate Secretaries and Governance Professionals, observing that the proposal, if adopted, should apply only to financial reporting risk, observed that the imprecise use of the word “risk” by NASDAQ obscures comprehensive risk oversight.
The society noted as examples that airlines are worried about safety, chemical companies about the environment, the food industry about obesity, the energy industry about nuclear disposal, the manufacturing industry about worker safety, and the pharmaceutical industry about labeling, all risks wholly removed from financial control considerations.
There should be one standard under the securities laws, Exchange Rules, PCAOB requirements and auditing standards with respect to the maintenance of the financial records of any public company.
The application of that standard shouldn’t vary depending only on the size of an enterprise; a more textured approach is needed to understanding what level of control fits what kind of company.
Internal financial audits shouldn’t be promoted as risk management, but only as one element of operations to be evaluated during broader enterprise risk management review.
Stephen M. Honig practices at Duane Morris in Boston. Elizabeth Sanders, an associate at the firm, assisted in the preparation of the above article.