New Group for Reporting: Public Company Accounting Oversight Board

To govern financial reporting and internal control, SOX established the Public Company Accounting Oversight Board (PCAOB) under Section 101 of the Act. PCAOB, pronounced peek-a-boo, is a nonprofit organization under the authority of the SEC.³

PCAOB sets financial reporting and audit standards for public companies while monitoring public accounting firms. The SEC Board appoints the PCAOB members in consultation with the executive branches of the monetary authority of the Federal Reserve System, and the fiscal authority of the U.S. Treasury Secretary. Some contend that the SEC has too much control over the PCAOB, which should be more independent in setting audit and reporting standards. Further, there is legal controversy regarding whether appointment of PCAOB members should be made directly by the SEC or through a legislative confirmation process appointed by the U.S. President. Although the U.S. Appeals Court found in August 2008 that PCAOB board members are not officers under the U.S. Constitution and thus are not required to be appointed by the U.S. President, this process may change under appeal.

Since SOX’s implementation in 2002, firms have devoted considerable internal and external talent and monies to achieving the SOX framework for internal control. The legislation required all U.S. firms with SEC-registered securities to comply on their periodic financial filings, including annual 10-K reports (with exceptions granted to non-U.S. firms). Many small firms felt overburdened by the scope of the reporting requirements, voicing protests that the costs of compliance outweighed the benefits and made them less competitive compared to international firms based outside the United States. Additionally, several U.S.-based multinational firms have switched to a principles-based focus with the adoption of international accounting standards prepared according to the International Financial Reporting Standards (IFRS). Current transition to IFRS is set for 2014, with some firms choosing early conversion by 2009. The global financial crisis necessitated further coordination between the U.S. FASB and the international accounting standard equivalent, International Accounting Standards Board (IASB). Some U.S. firms are discussing the postponement of adapting IFRS in the face of understanding new changes in disclosures that are expected.

Section 404: Internal Controls and Compliance Management

The post-Enron regulatory environment placed heavy emphasis on establishing internal controls and compliance by management. Section 404 required all firms to describe and document key internal controls, test and verify those controls, and disclose material weaknesses. External auditors are charged with the responsibility of reviewing, auditing, and independently assessing these internal controls documents and stating their opinion on the fairness of these controls. Management is charged with the responsibility of reporting on the quality and effectiveness of internal controls on a regular basis. This requires a comprehensive documentation process. The auditor is responsible for reviewing all of the control reports and inputs to certify that management has accurately described the internal control environment.

SOX implementation required U.S. firms to address internal control issues that some firms had not implemented previously in a control framework such as COSO.

Section 302: Who Is Responsible for Financial Reporting?

This section, referred to as the “signature clause,” was initiated as a response to prior scandals where corporate executives denied involvement or knowledge of fraudulent filings. Its purpose was to charge senior management with accountability and to certify the reporting responsibility of financial statements. Public quarterly and annual reports were now required to be certified by senior management. The buck stops at the top, as the CEO, CFO, and other senior executive officers responsible for signing and certifying the financial reports, could no longer claim ignorance on financial disclosures. The measures in Section 302 require firms to establish a control framework for internal controls and reporting. The penalties for noncompliance are substantial for the executive officer, with criminal charges, fines, and possible jail time if convicted. These penalties are fines of up to $1 million and 10 years in prison for the submission of a wrong certification, or if done willfully, a maximum penalty of $5 million with increased prison time of 20 years. This indicates the seriousness of the legislation and firms developed substantial risk monitoring and reporting processes to handle the internal controls. Companies can use a chain-of-command approach by requiring business managers and staff at lower levels to first sign off on the financial statements’ compliance and adequacy.

At the heart of Section 302 are four specific requirements:

1. Establish the officers responsible for certifying the financial reports.
2. Require that the designated officers review the report and sign off on internal control.
3. Certify that statements do not contain misleading or materially untrue information.
4. Certify that the statements represent clearly the financial condition and results of operations of the firm.

Under Section 302, the signing officers will not only disclose these statements to external auditors and in periodic SEC filings, that is, 10-K and 8-Q, but also to internal stakeholders such as the audit committee and the board of directors. If there are deficiencies in internal controls, these are also to be disclosed to the external and internal participants. Along with this disclosure comes the responsibility for establishing and maintaining a framework for internal controls. The signing officer will evaluate the controls process 90 days prior to public release of the report and evaluate the effectiveness of those controls for the reporting date. See Box 21.1.

Given the signing officer’s personal stake in the disclosure process, SOX implementation created a high need for risk reporting and monitoring. Firms have established detailed electronic trails with procedures to support the sign off. Of concern is materiality of errors in financial statements where a misstatement would affect a reasonable investor’s view of a company. Prior to SOX, external auditors often viewed a material weakness as when the misstatement caused an adjustment of 5 percent or more in pretax income. SOX dissolved any predefined quantitative threshold for materiality.

The ERM financial reporting component identifies internal control gaps or control weaknesses and senior management is held responsible for disclosing key deficiencies. Adding to the ambiguity in materiality is that if an internal weakness created a significant error, this would not be material if reported to the external auditors. But it would be material if discovered in the internal audit or risk assessment and not reported, thus exposing the signing officer to face criminal actions. An effective ERM plan would recognize this risk as significant and work with SOX compliance staff to integrate the gap into internal control compliance.⁴

Accounting for Derivatives—FASB 133

After 10 years of work initiated in response to significant derivatives losses that remained unreported by firms, the Accounting Standards Board implemented a new standard—Accounting for Derivatives Instruments and Hedging Activities FASB 133, effective in 2001.⁵ Financial reporting for derivatives would now take a fair value approach. The objective was to measure a firm’s derivatives value on a mark-to-market or fair value basis on the balance sheet, as an asset or liability, rather than in notes to financial statements.

Where firms use derivatives to hedge, the intent is that if an asset had a loss in value, the derivative should have a corresponding gain to offset the underlying asset’s loss. Changes in fair value flow through as gains or losses and are recognized in current period income. The underlying asset or liability is also mark-to-market and adjustments similarly flow directly through to earnings. The new rules were designed to expose the underlying volatility of the derivatives contract to the hedged balance sheet item by reporting changes in corporate earnings. Shareholders would benefit from these changes with improved information as management would have less opportunity to smooth earnings. However, financial reporting is still anything but transparent for investors, creditors, and regulators, as accounting choices and conflicts still exist.

Firm Choice for FASB 133 and Disclosure Risk Management

FASB 133 is a mixed disclosure philosophy for firms as it does not fully require mark-to-market accounting for derivatives. This is referred to as a mixed attribute model for accounting treatment that is neither “fish nor fowl,” but a combination of financial reporting based on both historic cost and mark-to-market. Firms can choose to designate a derivatives position as either not for hedging or as a hedging instrument. A firm can report three types of hedge accounting: (1) fair value hedges, (2) cash flow hedges, and (3) net investment hedges in a foreign operation.

A fair value hedge is the hedge of the fair value of an asset or liability at a market value. To qualify, the hedged item must be bought, sold, or committed at a definite price and date. The gain or loss on the derivative appears in current income in the same period, along with the gain or loss on the hedged item.

Cash-flow hedges are permitted on the forecasted risk of uncertain cash flows. Strict criteria for performance need to be met to qualify for a cash-flow hedge. The time frame for measuring these criteria commences when the hedge is instituted. The gain or loss of the hedged component is reserved in “other comprehensive income” (OCI) and moved into income during the appropriate recognition period. Examples of cash-flow hedges are interest rate exposure for variable or floating interest rates, planned purchases or sales of assets, planned issuance of debt or deposits, planned purchases or sales of foreign currency, and currency risk associated with proposed cash flows.

Net investment hedges relate to foreign currency hedging for foreign operations and allowed FASB 52 to effectively continue. Effective hedges are consolidated into OCI with translation adjustments. Any differences between total hedged results and translation adjustments flow through income directly.

Consider the difference between fair value and cash-flow hedges and the effect on disclosure. Firms with sales in foreign currencies may use forward contracts to hedge accounts receivables. Let’s assume that the accounts receivable sale for a U.S.-based company is €1 million due in three months and the exchange rate when the sale made is $1.30 for €1. This represents a dollar sales value of $1.3 million. The company chooses to hedge immediately by selling euros forward in exchange for dollars at a price of $1.25. This reduces the uncertainty of being unhedged, but costs the firm $50,000 ($1.25–$1.30 times €1 million) as the accounts receivable exchange rate is more than the forward rate. The appeal of cash flow hedging is that the forward contract, which has a predetermined loss at the outset, is amortized over the period of the receivable. This contrasts with fair value accounting, which directly affects income during each accounting period while the receivable is still outstanding. Under fair value, the forward contract is marked-to-market at each reporting period at the market rate compared with the asset value. Thus, the fair value method increases variability even when costs are established upfront with the initiation of the forward contract.

Many corporations use a combination of all three methods, especially for derivatives that are not exchange-traded but traded privately in the over the counter market. This makes disclosure in financial reports nontransparent. The financial statement details show that the impact of derivatives is hidden and parked in OCI along with other nonhedging items, or pass directly into current income, again with other income items. It is impossible for an investor or creditor to gauge the impact of derivatives use because the information is buried in the financial statements and the financial footnotes. Firms contend that separate disclosure would damage their competitive position. Going forward from the global financial crisis, firms and investors will benefit from better disclosure with FASB 161. After November 2008, “Statement 161 requires companies with derivative instruments to disclose information for financial-statement users to understand the level of derivative activity entered into by the company.” These disclosures require standardized tabular reports illustrating the derivatives instruments by their underlying risk exposure (interest rate, credit or foreign exchange, for example) and by hedge designation (fair value, cash flow, or net investment).⁶

Paring Down Internal Control: Auditing Standard 5 (AS5)

SEC issuers, especially smaller firms, were critical of Section 404, stating that it was unreasonably burdensome, expensive, and time-consuming. In response to the criticism, the PCAOB adopted a new standard, AS5, in July 2007, which still requires auditors to test the effectiveness of a company’s internal controls, but allows a more principles-based approach, including relying on the work of others. The focus shifts internal controls reporting from bottom-up to top-down, as a risk-based ERM approach. Bottoms-up means instituting risk assessments unit by unit at local levels and then rolling the results upward. A bottoms-up approach incurs increased cost as it views controls at a detailed level rather than at the optimal corporate level. Top-down means looking at company-level risks first, with an assessment of where material risks could arise, and then focusing on key controls. Top-down requires that board members and senior management establish the strategies of risk management, then use internal control to aid in reporting and decision making.

AS5 streamlined reporting and required just one opinion from auditors on compliance for internal control for financial reporting. A survey of internal audit professionals in 2008 reported that many have decreased the time spent on compliance since AS5 was introduced.

Connie Whitecotton, Chief Risk and Compliance Officer at Alfa Corporation, slashed external audit hours by 60 percent, bringing total 404 compliance costs for Alfa way down. Her secret was to shift from simply achieving compliance on 404 to a 404 audit based on the ERM program she was implementing. The company identifies risks, but also assesses whether each risk is material, evaluates which risks require action, determines how to mitigate risk and then monitors the process of mitigation (Treasury & Risk, February 2008).

Global Financial Crisis and ERM

Risk managers need to be perceived like good goalkeepers, always in the game and occasionally at the heart of it, like in a penalty shoot-out.

—The Economist, 2008, Goals and goal keepers

Corporations in 2008, especially financial institutions, found disclosure risk management at the heart of a category five storm. This storm began quietly at the beginning of the century when low interest rates and several legislative changes allowed banks and investment banks to compromise standard lending practices on mortgage loans. Further, by securitizing assets in structured pools in traded credit products such as CDO tranches and other asset-backed securities, this risk was dispersed globally. Poor corporate governance by the firms, outright fraud on the creation of the underlying mortgages, faulty regulatory oversight, and rating agency conflicts of interest added to the storm.

The financial crisis exposed weaknesses in the disclosure processes of risk management at major global financial firms. Senior managers at many of these firms failed to identify and report the maximum exposure in trading positions, believing that securities were liquid and saleable to third parties. Further, they failed to reject risky new deals and establish adequate controls in the trading account. Consider the confessions of an anonymous risk manager at a large commercial bank:

Over time we accumulated a balance-sheet of traded assets which allowed for very little margin of error. We owned a large portfolio of “very low-risk” assets which turned out to be high-risk. A small price movement on billions of dollars’ worth of securities would translate into large mark-to-market losses. We thought that we had focused correctly on the non-investment-grade paper, of which we held little. We had not paid enough attention to the ever-growing mountain of highly rated but potentially illiquid assets. We had not fully appreciated that 20 percent of a very large number can inflict far greater losses than 80 percent of a small number. (“Confessions of a risk manager,” Spoilsport section, The Economist 2008)

A study by Towers Perrin for insurance CFOs suggests that the vast majority lack the tools necessary to identify, prioritize, and measure risk at the enterprise level, yet these same firms are in the business of managing credit, market, interest, and operational risks. Federal Reserve Chairman Ben Bernanke posits that quantifying economic capital and market liquidity risks are essential to the well-being of financial institutions. He suggests that business managers had little incentive to compile this information. Better management of trading company positions as is done with “held to maturity” assets would have had management limiting exposures and perhaps limiting the level of mortgage assets issued during this housing asset bubble. Again, disclosure transparency can only aid the firm and its stakeholders in understanding its business.⁸

Reexamining Fair Value Accounting: FASB 157

In light of the 2008 financial crisis and U.S. government bailout package that purchased distressed bank assets and injected capital, the issue of fair value accounting for financial assets under FASB 157 returns to center stage. The underlying question is: When should assets that are marked to market in a trading portfolio currently based on “fair value” be reclassified to “held to maturity”? U.S. GAAP and IASB permit a firm to reclassify those trading assets, which originally were marked to market and would flow through the income statement, to be measured at amortized cost and subject to testing for impairment. In the United States, fair value relates principally to derivatives values, while IFRS applies to assets and liabilities in general.

Although IFRS has allowed companies the flexibility to reclassify fair-valued assets, the U.S. regulators have not been as consistent. In October 2008, the SEC released clarifications regarding fair value accounting under FASB 157. This statement established a framework for measuring fair value of an asset at a specific date between market participants. Level 1 assets are those that can be marked-to-market using a readily quoted price in an active market. Examples are stocks or futures contracts traded on an organized exchange, where bid-and-ask prices show the demand for securities and actual prices trade and can be observed impartially to mark to fair value. Level 2 assets are widely quoted and standardized, but not exchange traded. Level 3 are illiquid assets with values that are based entirely on management’s best estimate and with underlying value that is derived from mathematical models. These assets use the mark-to-model and values are estimated based on unobservable market prices and management’s assumptions using inputs for liquidity, credit risk, and market risk. Especially in the distressed mortgage market in the second half of 2008, firms had difficulty in measuring the fair value of these assets as these markets were inactive. In the words of the SEC, “the concept of a fair value measurement assumes an orderly transaction between market participants, where an orderly transaction is one that involves market participants that are willing to transact and allows for adequate exposure to the market.” FASB subsequently issued clarification in early October, which gave management leeway in determining value, which may be based on factors such as internal models, recent market inputs, or broker quotes.

Academics and industry executives initially predicted that FASB 157 would increase a firm’s earnings volatility. This was not borne out initially. A study by Andrew Alkon found that the financial services sector performed well when measured by earnings and that there was not a significant change in earnings volatility.⁹ There are several possible reasons for this outcome. One possibility is that volatility was at a low level during this time and had not yet changed during the study period. However, financial risk was quite high. Noble Laureate Dr. Robert Engle suggests that volatility is mean reverting, and would increase to a much higher level. Historically, he posits that when volatility increases sharply, the equity markets will decline. The global credit crunch of 2007–2008 reflects this mean reverse to historic high volatility. Transparency continues to be a problem as much derivatives detail continues to be reflected in financial statement notes and not discernible on the balance sheet.¹⁰

Conflicts with International Standards: Rules versus Principles

On August 27, 2008, the SEC voted to consider whether adoption of the use of IFRS by U.S. firms should begin in 2014. IFRS reporting is more principles-based than rules-based as in the United States. This raises the following question for firms in an ERM context: Can the international standards be regarded as more effective considering that firms in Europe were also heavily involved in the global crisis? The fundamentals of IFRS are that public disclosure information has a qualitative component that is useful, understandable, relevant, and reliable. The expectation is that there will be a more meaningful dialogue between firms and auditors to disclose risks. The most important facets of IFRS in theory are transparency and reliability from period to period. But as the saying goes “good disclosure does not make up for good accounting and financial reporting.” Moreover, the notion of fair value of assets and liabilities is subjective when criteria are not standardized, which can lower the reliability of the information publicly disclosed for investors. The capital markets of Brazil, Canada, China, India, Japan, and Korea will either convert to or have plans to converge to IFRS by year-end 2010. Not all U.S. companies are convinced that conversion will be beneficial overall, as some have suggested that there will be a negative accounting effect during the conversion, in addition to the conversion costs of implementation of new management philosophies, personnel, and systems. A global international advisory board with the two accounting standards boards is reviewing financial reporting issues related to the credit crisis, to consider these issues.

In the aftermath of the global financial crisis, IASB and FASB are deliberating substantive changes to the reporting and measurement of financial instruments. These changes will be as sweeping as SOX and FASB 133. This quickly moving environment highlights the importance of ERM managers and boards to work with senior executives and develop risk management policies that are evolutionary and adaptive. See Box 21.2.

Adding ERM to Company Credit Ratings

Standard & Poor’s incorporates ERM practices into its credit rating process for financial firms and expects to also do so for nonfinancial firms. Standard and Poor’s experience with ERM by insurance firms after Hurricane Katrina suggests that firms with strong ERM practices were able to quickly estimate losses within 25 percent of claims. Those with weak ERM practices were unable to quantify exposure and had greater losses than expected (Standard & Poor’s 2007).

To meet the stated expectations of rating agencies, the implementation of ERM by nonfinancial firms with no previous exposure to the concept of ERM could be costly. Although this is a topic of discussion, there is not yet meaningful action by many nonfinancial firms, except on an ad-hoc basis. Firms may be frustrated with the additional requirements, as happened with SOX, but also may not understand ERM’s importance except when a “storm” hits. One financial argument in favor of adopting ERM is that the firm will receive a better credit rating, which will reduce the cost of capital and improve profitability.