Tuesday, February 22, 2005
SOX Catch-22: Certifying Controls Later Found Weak
Companies that previously certified "disclosure controls and procedures" under Section 302 of Sarbanes-Oxley may find themselves this year in the uncomfortable position of having internal control audits under Section 404 reveal material weaknesses?with regulators wondering why those flaws weren't reported earlier.
The SEC's final rule implementing Section 302 of SOX requires company management to present "conclusions about the effectiveness of the [company's] disclosure controls and procedures based on the required evaluation." Under Section 404, management must disclose any material weaknesses in internal controls and will be unable to conclude that the company's internal control over financial reporting is effective if there are one or more material weaknesses.
Stephen Poss, head of the securities group at the Boston law firm Goodwin Procter, told Compliance Week that the 302/404 dynamics present a possible "Catch-22" for companies. "The SEC has made it abundantly clear that disclosure controls and procedures include many elements of internal controls over financial reports," Poss said. "To the extent that CEOs and CFOs have been making certifications, those certifications subsume some statement about the effectiveness of internal controls."
When 404 reports are issued, many companies are going to be facing conclusions that their internal controls were ineffective. Though the exact number of companies that might face such an "adverse opinion" is not known, estimates have ranged from 10 percent to 20 percent of public companies. If that's the case, it is likely that many companies that fail the 404 test might have indicated in their 302 certifications that their controls were effective. "If internal controls are not effective, how is it that you signed off on the financials when they included some element of [internal controls]," Poss asks.
William Tolbert Jr., a former associate director of the SEC?s Division of Corporation Finance, told Compliance Week that companies ?have an absolute reason? to be concerned. "It's not a situation to be ignored," said Tolbert, now a partner in the Washington office of Jenner & Block. Tolbert predicts that the Commission will indeed be checking whether companies certified disclosure controls and procedures that were later found to be ineffective. "The SEC is not going to be terribly sympathetic if you've already certified," he says.
posted by Brian Moran @ 9:55 AM