After the Enron scandal, Congress passed Sarbanes-Oxley (SOX) to improve the quality of financial reporting and deter fraud. One core reform was to require every company’s management team to annually assess and report on the effectiveness of the company’s disclosure controls.
This article is derived from a report generated by Joseph Burke, PhD, and Joseph Yarborough, PhD, titled “Frequency and Impact of Control Deficiencies: 2020.” The full report is currently available at no cost, just email firstname.lastname@example.org and ask for the report.
Disclosure controls are the policies and procedures that ensure a company can provide timely, accurate, and reliable financial information to the SEC and the market. When a company has disclosure control problems, it does not necessary mean that their financial information is not reliable, but it does mean that the company cannot be sure that the information is reliable.
Originally, the law also required the independent auditor to independently assess and attest to the quality of the internal controls. However, this attestation requirement, known as SOX 404(b), has been narrowed in scope repeatedly over the last two decades.
Thankfully, the SOX 404(a) requirement for management to annually report on the effectiveness of internal controls has remained intact. Additionally, the SOX 302 requirement for management to report quarterly on any disclosure control issues has also remained in effect.
Management always has a strong interest in minimizing negative events, and we will touch on how that effects how they report on control issues.
Control Deficiencies Continue Long-Term Trend
Control deficiencies have been increasing at a steady rate over the last ten years. In 2019 a record number of control deficiencies were disclosed, but in 2020 there was a return to the mean.
Control Deficiencies Are Primarily Reported by Small Companies
There are over 5,000 companies listed on U.S. exchanges. Although larger companies receive the majority of investor and media attention, there are far more small companies than large companies.
It is often important to segment the market by size because companies of different sizes have different regulatory and reporting requirements, so they are often operating in different environments. For example, smaller reporting companies with less than $75 million in public float don’t have to comply with 404(b), neither to Emerging Growth Companies.
These small companies still need to assess their internal controls, but that assessment is not independently verified by their auditor. This lack of verification can result in companies “phoning-in” their assessment.
The easiest way to “phone-in” the assessment is to provide an adverse opinion. This is safer than claiming that internal controls are good, and risk being humiliated if they are eventually forced to file a restatement. And since so many other small companies are filing adverse opinions, the announcement of an adverse opinion on a small company has relatively little impact. After all, many people expect small companies to lack the resources necessary to implement rigorous controls.
Adverse opinions by management are far more meaningful for large companies. Since the independent auditors at large companies provide their own independent assessment of internal controls, management is strongly incentivized to implement and maintain rigorous controls.
The different incentives at play create a remarkably different results when we segment the company population by size. Small companies were over 5 times more likely to report a control deficiency than large companies. This is consistent with our research demonstrating that small companies are far more likely to report a restatement than large companies.
Smaller companies are more likely to report control deficiencies than larger companies. This is probably due to the differences in stakes. With considerably less attention and lower expectations, it is easy for management at smaller companies to save time and money by truncating their assessment of internal controls by giving themselves a failing grade. And since so many of their peers give themselves this same failing grade, there is little pressure to improve.
We always expect companies to take the easiest road. Since SOX has created a two-tier system, with one set of rules for small companies and another set of rules for large companies, we are not surprised to see wildly disparate results.