A massive alleged fraud at a Milwaukee firm has added more fuel to the ongoing debate about whether smaller publicly traded companies in the United States should stay exempt from an independent audit review of internal controls for financial reporting under Sarbanes-Oxley section 404.
In January, the United States FBI announced that a grand jury in Milwaukee brought down a six-count indictment of wire fraud against Sujata Sachdeva, the 46-year old former vice-president of finance, secretary and principal accounting officer for Koss Corporation, a major producer of stereo headphones in the U.S.
Sachdeva is accused of having masterminded a fraud in excess of $31 million over more than four years, representing one of the largest embezzlement cases ever in Wisconsin. Koss announced in a press release that they now need to restate financials for at least three previous fiscal years as a result.
Michael Koss, the president and chief executive officer of Koss, told The Bottom Line “We are working with federal authorities on this investigation and cannot comment at this time.” The newspaper also tried to contact the Milwaukee law firm representing Sachdeva, who was fired last December, but they were unavailable for comment.
SOX 404(b) states that “each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer.”
However, an exception is currently granted to public companies such as Koss, which are referred to as “non-accelerated filers” because their market value is less than $75 million. Last December, the U.S. House of Representatives passed The Wall Street Reform and Consumer Protection Act of 2009, which, if ultimately signed into law, will permanently retain that exemption; otherwise non-accelerated filers would be required to comply beginning this June 15.
Many people south of the border, including officials in the American Institute of Certified Public Accountants, want this exemption removed.
“We don’t believe there is a substantial reason for differentiating between investors in large companies and investors in small companies when we’re looking at the transparency and accuracy of financial statements,” says Peter Kravitz, director of congressional and political affairs for the AICPA in Washington, D.C.
“The entire purpose of the Sarbanes-Oxley Act is to protect investors in public companies” and to ensure “that they’ve got full, accurate and transparent information regarding companies they’re investing in, or considering investing in.”
Consequently, the AICPA and others are lobbying hard for change. A key focal point right now is the U.S. Senate. The Senate banking committee is preparing a draft for another bill that the AICPA and others hope contains a provision to extend coverage to all public companies, regardless of size. Then they would like to see the new Senate bill become law, in place of that already passed by the House of Representatives.
The Washington, D.C.-based Center for Audit Quality, a not-for-profit organization whose board is comprised of leaders from the AICPA, public company auditing firms, as well as the investor and issuer communities, also strongly supports removal of the exemption for non-accelerated filers.
“Investors in larger public companies have had the protections of 404(b) for a number of years now, and we think it would be detrimental to investors in smaller companies not to have the same protections,” says Cindy Fornelli, the center’s executive director. “We feel very strongly that investors in any public company, regardless of their size, are entitled to the same protection.”
The main argument for exempting small and medium enterprises is that requiring an additional external audit attestation of internal controls will impose a heavy financial burden on smaller law-abiding firms who are running a clean ship.
“In terms of a cost-benefit analysis, we know this regulation is costly to implement, and there are fixed costs, so it’s disproportionately costly for a small firm. That’s always the issue with this type of regulation,” says Michelle Hanlon, an associate professor of accounting at the MIT Sloan School of Management in Cambridge, Mass.
A key element of the cost-benefit debate for proponents of a SOX 404(b) with no exceptions based on size is that an independent audit attestation of the reliability of internal controls can decrease the probability of reporting errors, and possibly increase the likelihood of uncovering some types of fraud, thereby providing shareholders with enhanced confidence in reported earnings.
But increased audit costs will also decrease earnings and that, too, impacts shareholders, Hanlon notes.
“I recognize the benefits are hard to quantify, and that makes it very difficult. But I haven’t seen anything yet which persuades me the benefits outweigh the costs for all filers, regardless of size,” says Michael Pearson, a professor of accounting at Kent State University’s College of Business Administration in Kent, Ohio. “Certainly when looking at the smaller companies — the ones with values under $75 million, I would be in favour of continuing with the exemption for that reason,” he adds.
Fornelli acknowledges that smaller companies are worried about the financial burden an additional audit requirement would impose on them.
“We appreciate there were concerns about the costs for smaller companies to comply with section 404(b). But the Center for Audit Quality, the Securities and Exchange Commission, and the Public Company Accounting Oversight Board have all undertaken a number of efforts to address those concerns and to help manage those costs while not compromising audit quality,” she emphasizes.
For example, Fornelli notes, when the PCAOB introduced its audit standard AS-5, adopted in 2007 to replace AS-2, the newer standard had a much more risk-based approach. Thus the audit scope and associated costs can be better tailored to fit the facts and circumstances a company faces, she says.
Opinion is also divided with respect to how effective an independent audit attestation of internal controls might have been in preventing fraud of the sort that allegedly occurred at Koss, had they been subject to the provisions of 404(b).
If the allegations stated are proven in court, it appears there was a massive breakdown of basic internal controls at Koss. The FBI Milwaukee office’s press release announcing the indictment alleges “Sachdeva sought to conceal her fraud by directing other Koss employees to make numerous fraudulent entries in Koss’s books and records to make it appear that Sachdeva’s fraudulent transfers were legitimate business transactions.” They also allege she directed staff to conceal such entries from the company’s management and auditors.
Leonard Peace, the FBI’s Milwaukee-based public affairs specialist, told The Bottom Line that the agency “can’t comment on pending matters.”
If the alleged fraud at Koss occurred as described, this would be “a classic case of what I would call a management override of internal controls,” stresses Pearson. “The controls that should (have been) applied here are quite basic. A single individual should not be permitted to authorize and record a transaction, and also maintain custody over assets.”
Furthermore, even though Koss’ size is such that it qualifies as a non-accelerated filer under 404(b), it is still a public company subject to a financial statement audit. And “even in a non-section 404 audit, part of the audit process includes developing an understanding of the business, its environment, and its internal controls,” Pearson emphasizes.
“I think that’s something of a misconception on the part of financial statement users — that (in) non-section 404 audits, internal controls don’t get coverage. Internal controls are not ignored. In this case, there certainly should have been some involvement with the client’s internal controls on the auditor’s part,” he adds.
Koss’ independent auditor, Grant Thornton, was fired last New Year’s Eve. The global accounting and audit firm, whose U.S. headquarters are in Chicago, did not return phone calls to The Bottom Line.
In Canada, the closest equivalent to SOX 404 is the Canadian Securities Administrators’ National Instrument 52-109. Under NI 52-109, the chief executive officer and chief financial officer of a publicly traded firm must sign off on the veracity of internal controls for the purposes of financial reporting. However, no public companies of any size in Canada are required to have an independent audit attestation to provide shareholders with an additional layer of assurance that internal controls for financial reporting are functioning as they should.
Moreover, says Steve Salterio, a professor at the Queen’s University School of Business in Kingston, Ont., “We backed into this business in Canada in a very interesting fashion. It wasn’t actually until Dec. 15, 2008 that we had management certification they’d done an evaluation (and) tested the controls, and a requirement to disclose this to the public. So Canada’s been very, very late in the game,” he says.
“No entity has to have a separate audit of internal control,” acknowledges Greg Shields, director of auditing and assurance standards at the Canadian Institute of Chartered Accountants in Toronto.
Shields points out that Handbook standard 5925 — An audit of internal control over financial reporting that is integrated with an audit of financial statements — deals with an audit of internal controls over financial reporting in cases where the auditor has been voluntarily asked by a client to provide a report on internal controls, or on a contingency basis in case a regulator opts to require it in the future. This audit would be integrated with the financial statement audit.
However, “standards have been beefed up in recent years to require auditors to be a lot more proactive in looking for, and responding to fraud,” he says.