Some sloppy practices turned up in the first self-exams that Pacific Northwest public companies conducted to meet Sarbanes-Oxley rules on internal controls.
The same words occur again and again in Seattle-based Loudeye’s report on its internal financial controls. Words like “insufficient” (14 times over 10 pages) and “deficiency” or “deficiencies” (29 times).
Not exactly the way a company likes to refer to itself. But a new federal rule requires Loudeye, like other publicly traded companies, to assess its internal controls — essentially, how it manages the flow of money and information among its layers and divisions.
And Loudeye’s report reads like a “what not to do” handbook. The weaknesses it identifies range from too few people with not enough experience in accounting and finance, to people improperly sharing computer passwords.
Most Read Stories
- Live updates: Women's marches in Seattle, D.C. on day after President Trump inauguration WATCH
- Man shot at UW no racist, friends insist, despite shooter’s claim
- Man shot during protests of Breitbart editor Milo Yiannopoulos' speech at UW; suspect arrested WATCH
- Crowd comparison: Inauguration Friday and women's march Saturday
- Live updates from Inauguration Day: 1 injured in shooting at demonstration at UW WATCH
After several requests, a Loudeye spokesperson said no one at the company was available to comment. Its report said the company is working to strengthen its controls but doing so will take most of 2005 and cost $1 million.
Throughout the Northwest and around the country, publicly traded such as Loudeye are delivering their first internal-control reports, as required by Section 404 of the Sarbanes-Oxley Act of 2002.
Taking a closer look
A sampling of the internal-control flaws noted by Northwest companies:
Coeur d’Alene Mines: No one stopped Chilean operations from using nonstandard accounting policies.
Digimarc: New accounting system was designed and implemented improperly.
Flow International: Insufficient analysis and review of how subsidiaries’ financial statements were consolidated.
Insightful:Purchasing, receiving and authorization functions weren’t properly separated.
SonoSite:Lack of expertise led to errors in reporting income-tax amounts.
Source: Company reports
Many companies have complained loudly about the 404 rules, branding them intrusive, vague and, above all, expensive. And with reason: Among the 97 Northwest companies that have reported their accounting costs so far, the average bill for audit and audit-related fees last year was up 64.2 percent compared to 2003, Seattle Times research shows. (Costs are expected to go down in subsequent years.)
The Securities and Exchange Commission (SEC) last week held a roundtable discussion on 404 to give shareholder advocates, companies, accounting firms and others a chance to debate its costs and benefits.
Microsoft, in written comments, said it has spent more than $15 million on its 404 review, and still has “a substantial amount of work remaining” before its report is due this summer. While supporting the overall goals of 404, Microsoft urged regulators to clarify what is and is not required to comply with the law, and to put less emphasis on routine processes such as payroll.
Those comments were echoed by Seattle-based Plum Creek Timber, which said 404 standards are causing auditors to perform unnecessarily extensive tests and checks — inflating compliance costs.
“While our experience under Sarbanes-Oxley has been positive overall, the costs of implementing and complying with the act have far exceeded anyone’s expectations,” wrote Plum Creek, which paid its audit firm $699,200 last year for 404-related services.
But judging by the dozens of reports filed so far by Pacific Northwest companies, there were a lot of sloppy corporate practices waiting to be unearthed:
Kirkland-based Captaris said its computer systems were inadequate for reporting financial information;
Cray, the Seattle-based supercomputer company, said its tax oversight left much to be desired;
Advanced Digital Information of Redmond said it lacked a formal process for ensuring that unusual transactions were properly accounted for.
“We expected and we found that a lot of companies had significant deficiencies,” said Bob Lipstein, KPMG’s national partner in charge of 404 services. “There’s a tremendous amount of deferred maintenance that’s built up over the years.”
When all is said and done, Lipstein said, he expected about 10 percent of Corporate America would report “material weaknesses” in their controls. (According to the 404 rules, a material weakness means there’s a “more than remote” chance that wrong numbers could slip into financial reports undetected; it doesn’t automatically cast suspicion on the reports.)
So far, the Northwest is running slightly ahead of that pace. A Seattle Times review of filings from the region’s 165 publicly traded companies found two dozen reporting material weaknesses; a dozen more said they found less significant deficiencies or took advantage of the review process to strengthen their controls.
More adverse reports are likely to turn up, since many companies whose fiscal years differ from the calendar year have yet to report, and the SEC recently cut small companies a break by extending their compliance deadlines to next year.
Not a sexy topic
In the world of corporate finance, internal control is probably the least sexy area imaginable. If mergers and acquisitions are zooming the Porsche down Highway 101 with the top down, internal control is taking your Corolla to Jiffy Lube.
Good internal controls are meant to ensure that a company’s financial reports reflect reality and that company assets are being used properly — and to give early warning if something’s amiss. Keeping current with tax-law changes, having a designated person sign off on purchase orders, making sure unauthorized people can’t get into computerized records — all those and more fall under the broad category of internal controls.
Like the other corporate-governance reforms in Sarbanes-Oxley, Section 404 was a response to the corporate scandals. Under 404, public companies must assess the effectiveness of their internal controls every year; their outside accountants must run a separate internal-control audit and state whether they agree with management’s conclusions.
Almost since the day the SEC released final 404 rules in June 2003, companies have complained about the time and expense of complying. And there’s no doubt 404 has contributed to soaring corporate audit expenses, whether a company’s internal controls are in order or not.
Loudeye, for example, paid its accountants $690,770 last year, more than twice the 2003 tab of $288,180. But Columbia Banking System in Tacoma paid its accountants nearly four times as much in 2004 as it did in 2003, even though the bank’s internal controls got a clean bill of health.
Ann Yerger, executive director of the Council of Individual Investors, argues that it’s money well spent. The council represents more than 140 large pension funds with more than $3 trillion in assets.
“Internal audit functions have been kind of the backwater of corporate finance departments — a cost center that needs to be minimized,” Yerger said. “But internal controls are the cornerstone of the financial statements. For our members, the more comfort they have in the internal controls, the more comfort they have in the reported numbers.”
Brad Tilden, chief financial officer at Alaska Air Group, said last year’s 404 self-examination cost the Seattle company 20,000 person-hours. The company had to postpone some planned automation projects and upgrades, he said; the company’s audit fees doubled, to $1.8 million, due in large part to Section 404.
The review was worthwhile even though it didn’t turn up any issues, he said.
“We feel that in the long run, there’s a good chance it will be a good investment for the company,” he said. “(Sarbanes-Oxley) forces discipline on a business, and while we’ve always been a fairly disciplined business, it’s a good reminder for all companies to get the basics right before getting involved in new activities.”
One recurring theme in Pacific Northwest companies’ 404 reports: corporate accounting and finance departments that are too thinly staffed, particularly among businesses that have been scrambling to survive the tech wreck.
Loudeye, for instance, said many of the weaknesses in its controls stemmed from rapid turnover in its accounting and finance department: After a restructuring plan was unveiled last summer, four of the department’s five employees — including the senior vice president of finance — said they were quitting. At the same time, Loudeye was in the midst of an acquisition. .
According to its 404 report, Loudeye muddled through by hiring temps and persuading three employees to stay longer than they’d intended. Eventually the company replaced all the departing workers and added three new accounting/finance positions.
But the lack of sufficient — and sufficiently trained — workers led to a host of deficiencies, from errors in accounting for the acquisition to a lack of oversight of routine matters such as tracking royalty payments and invoicing customers.
Captaris, whose software allows faxes to be received and read on desktop computers, conceded in its report that “insufficient emphasis” was put on internal controls while the company went through “two divestitures, the acquisition of new domestic and international businesses and product lines, and a broadening and diversification of our business.”
As a result, the company said, it lacks “sufficient and specialized technical accounting personnel.” It plans to add staff members and bring in outside consultants.
Shurgard Storage in Seattle said there’s a particular lack of knowledge of U.S. accounting standards at its European subsidiaries, and no training plan to bring the Europeans up to par.
“As a result,” Shurgard stated, “certain processes and controls that are necessary to ensure our financial statements are fairly presented, are either performed by individuals with inadequate experience or not performed at all.”
Other common problems turned up by 404 reviews: lax computer controls, lack of clear policies and procedures to make sure information was recorded and reported properly, and subsidiaries or overseas operations that weren’t following the head office’s rules.
All this is just the beginning. KPMG’s Lipstein noted that 404 is a permanent obligation, not a one-time tune-up.
“A lot of companies have been working so hard to get through the first year of compliance that they haven’t had time to focus on year two,” he said. “They’re just now building the infrastructure for year two and beyond.”
Eric Chiappinelli, a professor of corporate law and securities regulation at Seattle University, said it will be tough to assess 404’s long-term effectiveness: “In a sense, I don’t think we’ll ever really know, because it’s meant to prevent fraud, and how can you know what you’ve prevented?”
He has his doubts, though.
“The core of all corporate governance is management integrity, and you can’t legislate or educate integrity,” he said. “If you don’t have management with an ethical sense, there will be a problem someday, somewhere.”
Drew DeSilver: 206-464-3145 or firstname.lastname@example.org