This article originally appeared on April 1st, 2016 in Compliance Week
SEC fines energy company $300K over rubber stamp internal controls
A signature alone is not convincing evidence of much of anything, in the eyes of audit and financial reporting regulators lately. The Securities and Exchange Commission delivered that message once again with a recent enforcement action that gives public company executives yet another reminder that internal controls represent more than a checklist compliance exercise.
The Securities and Exchange Commission took action against Texas-based energy company Magnum Hunter Resources Corporation, including its chief financial officer and chief accounting officer, as well as an external auditor and a consultant, for improperly concluding that a serious staffing problem in the accounting department did not rise to the level of a material weakness in internal control. The action does not include any allegations of accounting anomalies that arose during the reporting periods in question, although the company eventually went on to restate its financial results and declare bankruptcy.
Sporkin“This is a case that doesn’t have a punchline,” says Tom Sporkin, a partner with law firm BuckleySandler. “It should be very insightful that charging internal controls only is no longer off limits for the SEC.”
It is not the first time the SEC has brought an enforcement action strictly regarding internal-controls, but it underscores the SEC’s concern over management that signs reports without actually reviewing them, or that relies too easily on the findings of others regarding whether controls are operating effectively.
“That’s the crux of the ongoing issue auditors and management face,” says Ron Kral, managing partner at consulting firm Candela Solutions. “Too often they rely on sign-off without getting assurance that a reviewer actually conducted the review. The lesson here is documentation of controls doesn’t necessarily mean a control actually occurred.”
The SEC fined Magnum Hunter Resources Corp. $250,000 and two members of management a combined $40,00 for the internal control violations, and it suspended from practice an auditor and an internal audit consultant from separate regional firms in Texas. The SEC says the company undertook rapid growth through acquisition in 2010 and 2011, straining the accounting staff to keep up.
Both the external auditor and the consultant identified the staffing problem as a deficiency in control, but the SEC says both concluded and advised management that the severity of the deficiency did not rise to the level of a material weakness, which would need to be disclosed to investors.
“The SEC is yet again underscoring the importance of vigorous and well-documented internal control assessments,” says Michael Scudder, a partner with law firm Skadden, Arps, Slate, Meagher & Flom. “They are not going to permit conclusion by hindsight. The severity of control weakness does not depend on whether a misstatement occurred.”
That’s a message the SEC has delivered on multiple occasions the past few years in a handful of prior enforcements and through multiple staff speeches and remarks at public events. Brian Croteau, deputy chief accountant at the SEC, has said since at least 2013 that the SEC had some concern that management was not properly identifying material weaknesses in internal controls in the absence of an identified accounting error.
Perhaps more attention has been paid to the Public Company Accounting Oversight Board as it has stirred a big pot on internal controls the past few years through its inspection program. Inspectors cite audit violations involving internal controls more than any other auditing error in recent years, even leading to a bit of management pushback on whether demands brought by auditors are excessive.
The PCAOB has particularly focused on management review controls as an area where auditors need to dig deeper, a point illuminated in the Magnum enforcement, says Kral. “Management and auditors need to go deeper and look at those electronic signatures,” he says. “That might include re-performing some of the procedures the reviewer was supposed to do to make sure there are not any problems. People say they reviewed it, but maybe they didn’t do anything. That continues to be a problem.”
Below is a summary from the SEC of how controls broke down at MHR.
- The company’s rapid growth by acquisition strained its accounting resources, making the company unable to complete its standard monthly close process on time.
- The CFO and CAO knew of the accounting stress, but failed to apply appropriate standards when determining the severity of the internal control deficiency.
- The lead partner from a PCAOB-registered firm on an internal audit consulting engagement identified problems in the accounting department that exhibited “inadequate and inappropriately aligned staffing,” causing delays in testing. The partner concluded the staffing deficiency did not constitute a material weakness despite his belief that “[t]he potential for error in such a compressed work environment presents substantial risk.”
- The engagement partner on the external audit recognized the company lacked “adequate internal control over financial reporting due to inadequate and inappropriately aligned staffing” which “increases the possibility of a material error occurring and being undetected,” yet concluded the weakness did not rise to the level of material weakness and failed to adequately document the basis for his conclusion.
Source: Securities and Exchange Commission
Liz Ryan, a director at MorganFranklin Consulting, says the case is a stark reminder to consultants to assure management takes ownership over conclusions. “The consultant does not make decisions for management,” she says. “It means presenting them with all available information so management can make an informed decision.” She expects consultants who study this enforcement and see the consequences for an outside consultant will be more cautious going forward in terms of drawing conclusions or making recommendations to management.
Ryan says the case demonstrates the SEC’s concern about controls being properly evaluated by management. “Anytime a restatement occurs, the SEC is going to perform a look-back to understand if there were red flags earlier in the process that should have been disclosed,” she says.
The difference between a material weakness that must be disclosed to investors and a significant deficiency that does not trigger disclosure is a matter of definition, but also judgment. “There is a lot of judgement that can be brought to bear on whether something is a significant deficiency or a material weakness,” says Dan Goelzer, a partner at law firm Baker & McKenzie and a former member and acting chairman at the PCAOB. “It would be difficult in a lot of cases for the SEC to say a company made a wrong judgment, but in this case they seem to have this report for this consultant and something written by the auditor. That’s pretty good evidence.”
A material weakness in internal control is defined in the PCAOB’s Auditing Standard No. 5 as a deficiency or combination of deficiencies that suggest a reasonable possibility that a material misstatement in financial statements will not be timely prevented or detected. A significant deficiency is defined as less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company’s financial reporting.
Companies may want to review their procedures for how they arrive at those judgments, says Michael Scanlon, a partner at law firm Gibson Dunn. The SEC’s interpretive guidance to management provides plenty of guidance on making that determination, he says. “You can create quite a comprehensive list in terms of the steps you need to go through to make the judgment,” he says.
Having a sound process for arriving at those judgments is important, but so is solid documentation, says Kral. “Because this is an important judgment, they need to document why they came to the conclusions they did,” he says. “And it should have multiple eyes and ears—not just the external auditor or the SOX consultant, but ultimately the CFO and chief accounting officer. They’re ultimately accountable.”
About MorganFranklin Consulting
MorganFranklin Consulting (www.morganfranklin.com) is a global management and technology consulting firm that works with leading businesses and government. The firm helps organizations solve their most pressing challenges and address critical finance, technology, and business objectives. MorganFranklin is headquartered in the Washington D.C. area with regional offices in Atlanta and San Francisco, and supports clients across the globe.
MorganFranklin Consulting is the brand name referring to the global organization of MorganFranklin, Inc. and its subsidiary MorganFranklin Consulting, LLC.